[driverobject]

Hi all,

I'm having trouble with the undeclared identifier error whenever I try to directly reference KeServiceDescriptorTable in code. I include ntddk.h.

Been looking at code that directly reference this kernel global to manipulate it and they don't seem to be doing anything special to find the address of this global, in their code it looks to be accessible through the usual DDK libraries and headers.

Any samples of how to read this table are much appreciated. I'm working towards a rootkit detection tool.

Thanks,

[driverobject]

Hi all,

I was able to do this from an example in Rev. Bill Blunden's book on rootkits:

Code: Select all

#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
	DWORD *KiServiceTable;
	DWORD *CounterBaseTable;
	DWORD nSystemCalls;
	DWORD *KiArgumentTable;
} SDE, *PSDE;
#pragma pack()

typedef struct ServiceDescriptorTable
{
	SDE ServiceDescriptor[4];
}SDT;

__declspec(dllimport) SDE KeServiceDescriptorTable;

Lesson from this for me is first get information on the structure of the type, declare this, use dllimport to bring it in. How it gets the correct symbol out of the correct module is a mystery to me that I'll probably learn about later.