[flauteABC]

What has changed in Windows 10 for KeServiceDescriptorTableShadow? If I set a breakpoint on e.g.

win32k!NtUserCreateWindowEx
win32kfull!NtUserCreateWindowEx

I never get any break.

-- Flaut

[flauteABC]

I am not 100% sure but it looks like the KeServiceDescriptorTableShadow->ServiceTable has copy on right. Due to that modifications are persistent in the current process only.

[Vrtule]

copy on right

Do you mean copy on write? That's interesting. If this is the case, I think a system-wide modification might be possible when disabling WP bit of the CR0 register (or by mapping the table via MDL). Of course, Patchguard won't be happy about that.

[flauteABC]

Right copy on write. I tried modification via MDL and the changes are only visible for the particular process (for me csrss).

[hiepkhachjagh0]

Csrss on Windows 10 have much session, i think you need hook with all session