scanning ntokskrnl to find unexported funcs pointers

#8628 by Tigzy
Mon Sep 19, 2011 11:13 am

Hello

I'm trying to restore some altered SSDT indexes, and to do so I need to find the true adresses of theses funcs.
Gmer told me he was using a scan function in ntoskrnl to retrieve theses pointers.

How this is possible? Is there an opcode template to find which indicates the beginning of a func in memory? If yes, how can we find the name of this function?

Thanks in advance

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm

Re: scanning ntokskrnl to find unexported funcs pointers

#8629 by rkhunter
Mon Sep 19, 2011 11:33 am

Do you need find original KiServiceTable?

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: scanning ntokskrnl to find unexported funcs pointers

#8630 by Tigzy
Mon Sep 19, 2011 11:48 am

Yes I do. My aim is to find pointer values before hook by scanning some memory.
I found something interesting about the "mov edi,edi" instruction which indicates the beginning of a function. But the problem is, which function? :D

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm

Re: scanning ntokskrnl to find unexported funcs pointers

#8632 by rkhunter
Mon Sep 19, 2011 11:55 am

KeServiceDescriptorTable is initialized by KiInitSystem():

KeServiceDescriptorTable[0].Base = &KiServiceTable[0];
KeServiceDescriptorTable[0].Count = NULL;
KeServiceDescriptorTable[0].Limit = KiServiceLimit;
KeServiceDescriptorTable[0].Number = &KiArgumentTable[0];
for (Index = 1; Index < NUMBER_SERVICE_TABLES; Index += 1) {
KeServiceDescriptorTable[Index].Limit = 0;
}

Thus, we can find KiServiceTable by examining all xrefs to KeServiceDescriptorTable in the kernel. We will search for

C7 05 ..8 bytes.. mov ds:_KeServiceDescriptorTable.Base, offset _KiServiceTable

from which we will get _KiServiceTable rva.

It's easy to find KeServiceDescriptorTable xrefs by scanning the code, but this is dangerous and time-consuming. It's better to use ntoskrnl's relocation information - it is always present in all nt systems.
This "mov [mem32], imm32" instruction will have 2 relocs pointing in it, and the second is the one we're searching for. So, the usermode code will do these steps:

1. Load ntosknrl as a dll.
2. Locate KeServiceDescriptorTable - it is exported.
3. Enumerate all relocations to find xrefs to the KeServiceDescriptorTable.
4. Check these opcodes to be a "mov [mem32],imm32".
5. Get KiServiceTable - it's offset is +6 from the opcode beginning.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: scanning ntokskrnl to find unexported funcs pointers

#8633 by Tigzy
Mon Sep 19, 2011 12:02 pm

Many thanks rkhunter, will try to do so
;)

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm

Re: scanning ntokskrnl to find unexported funcs pointers

#8637 by Alex
Mon Sep 19, 2011 3:56 pm

Here is the 90210's "A more stable way to locate real KiServiceTable article with sources...

I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

Username

Alex

Posts

268

Joined

Sun Mar 07, 2010 11:34 am

Re: scanning ntokskrnl to find unexported funcs pointers

#8647 by Tigzy
Tue Sep 20, 2011 7:44 am

Hello Alex

In the meantime I found the same link
It works well, so now I'm able to restore the SSDT! ;)

---

Is there an equivalent in win32k.sys for Shadow SSDT?

http://adlice.com

Username

Tigzy

Posts

384

Joined

Mon Feb 07, 2011 5:03 pm