A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #27302  by hiepkhachjagh0
 Wed Nov 25, 2015 10:37 am
i used Windbg to see KeAddSystemServiceTable.
i canot find KeServiceDescriptorTableShadow. So i can find KeServiceDescriptorTableShadow some where? i grateful for an answer :|
Code: Select all
 u KeAddSystemServiceTable
     81ff1f10 8bff            mov     edi,edi
     81ff1f12 55              push    ebp
     81ff1f13 8bec            mov     ebp,esp
     81ff1f15 837d1801        cmp     dword ptr [ebp+18h],1
     81ff1f19 7533            jne     nt!KeAddSystemServiceTable+0x3e (81ff1f4e)
     81ff1f1b 833d1053e98100  cmp     dword ptr [nt!KeServiceDescriptorTable+0x10 (81e95310)],0
     81ff1f22 752a            jne     nt!KeAddSystemServiceTable+0x3e (81ff1f4e)
     81ff1f24 833dd052e98100  cmp     dword ptr [nt!KeNumberProcessors+0x36 (81e952d0)],0
     kd> u
     81ff1f2b 7521            jne     nt!KeAddSystemServiceTable+0x3e (81ff1f4e)
     81ff1f2d 8b4d08          mov     ecx,dword ptr [ebp+8]
     81ff1f30 b001            mov     al,1
     81ff1f32 890dd052e981    mov     dword ptr [nt!KeNumberProcessors+0x36 (81e952d0)],ecx
     81ff1f38 8b4d10          mov     ecx,dword ptr [ebp+10h]
     81ff1f3b 890dd852e981    mov     dword ptr [nt!KeNumberProcessors+0x3e (81e952d8)],ecx
     81ff1f41 8b4d14          mov     ecx,dword ptr [ebp+14h]
     81ff1f44 890ddc52e981    mov     dword ptr [nt!KeNumberProcessors+0x42 (81e952dc)],ecx
     kd> u
     81ff1f4a 5d              pop     ebp
     81ff1f4b c21400          ret     14h
     81ff1f4e 32c0            xor     al,al
     81ff1f50 ebf8            jmp     nt!KeAddSystemServiceTable+0x3a (81ff1f4a)

On WIndows 10 another Version( build 10240 ), I have found as below:
Code: Select all
kd> u KeAddSystemServiceTable
    81deb1e6 8bff            mov     edi,edi
    81deb1e8 55              push    ebp
    81deb1e9 8bec            mov     ebp,esp
    81deb1eb 837d1801        cmp     dword ptr [ebp+18h],1
    81deb1ef 7533            jne     nt!KeAddSystemServiceTable+0x3e (81deb224)
    81deb1f1 833dd0e2c78100  cmp     dword ptr [nt!KeServiceDescriptorTable+0x10 (81c7e2d0)],0
    81deb1f8 752a            jne     nt!KeAddSystemServiceTable+0x3e (81deb224)
    81deb1fa 833d90e2c78100  cmp     dword ptr [nt!KeServiceDescriptorTableShadow+0x10 (81c7e290)],0
    kd> u
    81deb201 7521            jne     nt!KeAddSystemServiceTable+0x3e (81deb224)
    81deb203 8b4d08          mov     ecx,dword ptr [ebp+8]
    81deb206 b001            mov     al,1
    81deb208 890d90e2c781    mov     dword ptr [nt!KeServiceDescriptorTableShadow+0x10 (81c7e290)],ecx
    81deb20e 8b4d10          mov     ecx,dword ptr [ebp+10h]
    81deb211 890d98e2c781    mov     dword ptr [nt!KeServiceDescriptorTableShadow+0x18 (81c7e298)],ecx
    81deb217 8b4d14          mov     ecx,dword ptr [ebp+14h]
    81deb21a 890d9ce2c781    mov     dword ptr [nt!KeServiceDescriptorTableShadow+0x1c (81c7e29c)],ecx
    kd> u
    81deb220 5d              pop     ebp
    81deb221 c21400          ret     14h
    81deb224 32c0            xor     al,al
    81deb226 ebf8            jmp     nt!KeAddSystemServiceTable+0x3a (81deb220)
Last edited by EP_X0FF on Wed Nov 25, 2015 4:27 pm, edited 1 time in total. Reason: Do not use red color, it is reserved for use by mods/admins
 #27304  by EP_X0FF
 Wed Nov 25, 2015 4:31 pm
You can extract it from right after KiSystemServiceStart on all NT versions since Vista up to 10TH2.
 #27333  by hiepkhachjagh0
 Sat Nov 28, 2015 7:33 am
thank very much, but i don't understand reason why i can't see KiSystemServiceStart or KeServiceDescriptorTableShadow with Windbg (Windows 10 build 1511), i use windbg see nt!ZwCreateFile but not as I thought, ZwCreateFile use ExfUnblockPushLock, can you help me?, thank you
Code: Select all
kd> u KiSystemServiceStart
Couldn't resolve error at 'KiSystemServiceStart'
kd> dps KeServiceDescriptorTableShadow
Couldn't resolve error at 'KeServiceDescriptorTableShadow'
kd> u nt!ZwCreateFile
81581f60 b870010000      mov     eax,170h
81581f65 8d542404        lea     edx,[esp+4]
81581f69 9c              pushfd
81581f6a 6a08            push    8
81581f6c e844ec0000      call    nt!ExfUnblockPushLock+0x11ca (81590bb5)
81581f71 c22c00          ret     2Ch
81581f74 b871010000      mov     eax,171h
81581f79 8d542404        lea     edx,[esp+4]
kd> u
81581f7d 9c              pushfd
81581f7e 6a08            push    8
81581f80 e830ec0000      call    nt!ExfUnblockPushLock+0x11ca (81590bb5)
81581f85 c20c00          ret     0Ch
81581f88 b872010000      mov     eax,172h
81581f8d 8d542404        lea     edx,[esp+4]
81581f91 9c              pushfd
81581f92 6a08            push    8
kd> u
81581f94 e81cec0000      call    nt!ExfUnblockPushLock+0x11ca (81590bb5)
81581f99 c21400          ret     14h
81581f9c b873010000      mov     eax,173h
81581fa1 8d542404        lea     edx,[esp+4]
81581fa5 9c              pushfd
81581fa6 6a08            push    8
81581fa8 e808ec0000      call    nt!ExfUnblockPushLock+0x11ca (81590bb5)
81581fad c22000          ret     20h
 #27454  by EP_X0FF
 Wed Dec 23, 2015 6:13 am
Your symbols broken.
Code: Select all
lkd> u KiSystemServiceStart 
fffff801`a135ff3e 4889a390000000  mov     qword ptr [rbx+90h],rsp
fffff801`a135ff45 8bf8            mov     edi,eax
fffff801`a135ff47 c1ef07          shr     edi,7
fffff801`a135ff4a 83e720          and     edi,20h
fffff801`a135ff4d 25ff0f0000      and     eax,0FFFh
fffff801`a135ff52 4c8d15273b2000  lea     r10,[nt!KeServiceDescriptorTable (fffff801`a1563a80)]
fffff801`a135ff59 4c8d1d603b2000  lea     r11,[nt!KeServiceDescriptorTableShadow (fffff801`a1563ac0)]
fffff801`a135ff60 f7437840000000  test    dword ptr [rbx+78h],40h
lkd> u ZwCreateFile
fffff801`a1351cc0 488bc4          mov     rax,rsp
fffff801`a1351cc3 fa              cli
fffff801`a1351cc4 4883ec10        sub     rsp,10h
fffff801`a1351cc8 50              push    rax
fffff801`a1351cc9 9c              pushfq
fffff801`a1351cca 6a10            push    10h
fffff801`a1351ccc 488d054d680000  lea     rax,[nt!KiServiceLinkage (fffff801`a1358520)]
fffff801`a1351cd3 50              push    rax