also comments with "fcuk", "shit" from developers includedOh yeah! :mrgreen:
A forum for reverse engineering, OS internals and malware analysis
Here is a list with indexes of SSDT of different OS'es - Windows WIN32K.SYS System Call Table (NT/2000/XP/2003/Vista/2008/7) and here is an example how to hook SSDT - HookShadowSSDT.rar and finally some description Chapter 5 - Monitoring Native API Calls (source - Undocumented Windows 2000 Secrets).
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
Many thanks Alex (once more) ;)
@Alex: In the Hook code, I got something misunderstood:
What is that ? GetCsrPid()
This is the PID of which process?
Why do we need to attach this?
What is that ? GetCsrPid()
This is the PID of which process?
Why do we need to attach this?
Tigzy wrote:@Alex: In the Hook code, I got something misunderstood:1. To get Csrss PID
What is that ? GetCsrPid()
This is the PID of which process?
Why do we need to attach this?
2. To be able to work with shadow, because as I see code is running in DriverEntry in system context which is not gui process.
Ring0 - the source of inspiration
Ok thanks.
One last thing, on the link http://j00ru.vexillium.org/win32k_syscalls/ , the system calls are on 4*4 bits, but in the hardcoded sample, we have only 3*4 bits.
The first "1" which is on every syscall is missing. So where has it gone?
One last thing, on the link http://j00ru.vexillium.org/win32k_syscalls/ , the system calls are on 4*4 bits, but in the hardcoded sample, we have only 3*4 bits.
The first "1" which is on every syscall is missing. So where has it gone?
Code: Select all
NtUserFindWindowEx : 0x1179 on the linkDbgPrint("comint32: Running on Windows 2003");
NtUserFindWindowEx_callnumber = 0x179;
NtUserGetForegroundWindow_callnumber = 0x193;
NtUserBuildHwndList_callnumber = 0x137;
NtUserQueryWindow_callnumber = 0x1E1;
NtUserWindowFromPoint_callnumber = 0x24C;This is array of pointers with indexes starting from zero index (NtGdiAbortDoc) and service id 0x1000. It is quite obvious. Values with service id lower than 0x1000 used in system service table.
Ring0 - the source of inspiration
ok, understood. The base adress is included in the hook code
--
May I ask you to explain what that sample does?
KeAddSystemServiceTable is an API to add a SSDT in memory, right?
4096 must be the size of that block of memory, where all SSDT pointers are stored?
What the mem compare tries to do? What is 16 bytes, the size of the KeServiceDescriptorTable struct?
--
May I ask you to explain what that sample does?
KeAddSystemServiceTable is an API to add a SSDT in memory, right?
4096 must be the size of that block of memory, where all SSDT pointers are stored?
What the mem compare tries to do? What is 16 bytes, the size of the KeServiceDescriptorTable struct?
Code: Select all
unsigned int getAddressOfShadowTable()
{
unsigned int i;
unsigned char *p;
unsigned int dwordatbyte;
p = (unsigned char*) KeAddSystemServiceTable;
for(i = 0; i < 4096; i++, p++)
{
__try
{
dwordatbyte = *(unsigned int*)p;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return 0;
}
if(MmIsAddressValid((PVOID)dwordatbyte))
{
if(memcmp((PVOID)dwordatbyte, &KeServiceDescriptorTable, 16) == 0)
{
if((PVOID)dwordatbyte == &KeServiceDescriptorTable)
{
continue;
}
return dwordatbyte;
}
}
}
return 0;
}
This code full of perversions and this is the way how they get address of service descriptor table by doing memory scan and then work with a shadow table through acquired pointer.
I suggest carefully review anything from this bsod-generator source code.
I suggest carefully review anything from this bsod-generator source code.
Ring0 - the source of inspiration
Tigzy wrote:GetProcAdress on a dll get an index from IAT, right?no, actually from export table of the given module.
