[utsav.0202]

Hi

I am hooking Shadow SSDT
got the help from sssdt.h from http://www.kernelmode.info/forum/viewto ... Task#p3368

In the file GetCsrPid() is called to get the pid of csrss.exe and it is called in system context
I am not calling from system context and in GetCsrPid() "NtOpenProcess" is failing with 0XC0000005 for all the process

I don't know why. :(

[EP_X0FF]

Post your code. Use ZwOpenProcess instead.

[utsav.0202]

I don't get one thing.
Why do we need to KeAttachProcess(csrss process)?

I changed my code and tried to hook Shadow SSDT without KeAttachProcess(csrss process) and it worked absolutely fine.
Is it okay?

[EP_X0FF]

I do not understand how does your posts related each other.

[utsav.0202]

First I tried as given in the file sssdt.h and NtOpenProcess in getCsrPid() failed for all process.
Then I posted my problem here.
Today I just tried to Hook Shadow table without attaching csrss.exe and it worked
I mean if it can work without attaching shadow table then why do we need it or do we actually need it?

[EP_X0FF]

Depends on where you use this getCsrPid(). Obviously it is kind of trick to get pointer to Shadow SSDT when running in context of non-GUI thread. However code you maybe referring (posted by Alex I guess) is Chinese bad example of programming.

[Vrtule]

First I tried as given in the file sssdt.h and NtOpenProcess in getCsrPid() failed for all process.

I did not find this routine in that file. However, if you call NtOpenProcess from kernel driver and the previous mode is UserMode, the routine will usually fail, because it accepts only parameters pointing to memory adresses accesible from usermode (address of OBJECT_ATTRIBUTES and CLIENT_ID structures). ZwOpenProcess can be understood as the following sequence of commands:

Code: Select all

PreviousMode = KernelMode;
NtOpenProcess(...);

It sets previous mode to KernelMode, so the operation will not fail even with addresses of OBJECT_ATTRIBUTES and CLIENT_ID structures pointing to kernel space.

Today I just tried to Hook Shadow table without attaching csrss.exe and it worked
I mean if it can work without attaching shadow table then why do we need it or do we actually need it?

As EP had already said, everything depends on the context of the process in which you perform Shadow hooking. Win32k.sys driver, where the most important parts of the shadow table are located, is not mapped in non-GUI processes because they don't need it; they use no system calls that redirects to shadow table.

----
Hope I understood your problem well enough and that I was not much mistaken.

[utsav.0202]

Thank you guys.
I got it :)

[utsav.0202]

and Vrtule, I am sorry, by mistake I posted the wrong link to file that contains GetCsrPid().
As EP_X0FF rightly guessed it was the one posted by Alex.