In latest Windows 10 updates Microsoft changed the win32k!W32pServiceTable very often and thus making win32k syscall hooks more tricky to set. Is there a way to get the indexes dynamically without using Symbols?
A forum for reverse engineering, OS internals and malware analysis
I never checked if it anyhow work. If you have shadow table addresses dump, then you can try to backtrace user32 call and looks if backtrace contain any of addresses from this table. Maybe this even doesn't work on modern NT, idk, try.
Ring0 - the source of inspiration
Starting from Win10 you can build complete shadow table using win32k.sys export W32pServiceTable and translating all it entries to corresponsing service names using win32k.sys import (win32k.sys imports them from win32kfull/win32base). No symbols required at all.
Ring0 - the source of inspiration
