Tigzy wrote:does that loop travels through the ASM code of KeAddSystemServiceTable API?Obviously yes.
Is this the aim of the loop?
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
Obviously yes.:roll:
Still me :D
While debugging KeAddSystemServiceTable , I can't see your LEA syscode...
Why? It's on XP
While debugging KeAddSystemServiceTable , I can't see your LEA syscode...
Why? It's on XP
Code: Select all
kd> u KeAddSystemServiceTable
nt!KeAddSystemServiceTable:
80596784 8bff mov edi,edi
80596786 55 push ebp
80596787 8bec mov ebp,esp
80596789 837d1803 cmp dword ptr [ebp+18h],3
8059678d 7760 ja nt!KeAddSystemServiceTable+0x6b (805967ef)
8059678f 8b4518 mov eax,dword ptr [ebp+18h]
80596792 c1e004 shl eax,4
80596795 83b8a02f558000 cmp dword ptr nt!KeServiceDescriptorTable (80552fa0)[eax],0Captain Obvious told me: u command by default disassembles 8 instructions on x86 based processors :)
Solution
u KeAddSystemServiceTable l10
Solution
u KeAddSystemServiceTable l10
Ring0 - the source of inspiration
This is the beginning of nt!KeAddSystemServiceTable on my XP system.
EDIT: Sorry for double-posting.
Code: Select all
It seems that you must go a few instruction deeper to the function.PAGE:004DBFF9 mov edi, edi
PAGE:004DBFFB push ebp
PAGE:004DBFFC mov ebp, esp
PAGE:004DBFFE cmp [ebp+arg_10], 3
PAGE:004DC002 ja short loc_4DC052
PAGE:004DC004 mov eax, [ebp+arg_10]
PAGE:004DC007 shl eax, 4
PAGE:004DC00A cmp _KeServiceDescriptorTable[eax], 0
PAGE:004DC011 jnz short loc_4DC052
PAGE:004DC013 lea ecx, _KeServiceDescriptorTableShadow[eax]
PAGE:004DC019 cmp dword ptr [ecx], 0
PAGE:004DC01C jnz short loc_4DC052
PAGE:004DC01E cmp [ebp+arg_10], 1
EDIT: Sorry for double-posting.
Last edited by Vrtule on Thu Aug 18, 2011 4:15 pm, edited 1 time in total.
Yes, you're right, here's the whole block:
So
Code: Select all
... Next is KeRemoveSystemServiceTablekd> u KeAddSystemServiceTable l 100
nt!KeAddSystemServiceTable:
80596784 8bff mov edi,edi
80596786 55 push ebp
80596787 8bec mov ebp,esp
80596789 837d1803 cmp dword ptr [ebp+18h],3
8059678d 7760 ja nt!KeAddSystemServiceTable+0x6b (805967ef)
8059678f 8b4518 mov eax,dword ptr [ebp+18h]
80596792 c1e004 shl eax,4
80596795 83b8a02f558000 cmp dword ptr nt!KeServiceDescriptorTable (80552fa0)[eax],0
8059679c 7551 jne nt!KeAddSystemServiceTable+0x6b (805967ef)
8059679e 8d88602f5580 lea ecx,nt!IoAdapterObjectType+0x1770 (80552f60)[eax]
805967a4 833900 cmp dword ptr [ecx],0
805967a7 7546 jne nt!KeAddSystemServiceTable+0x6b (805967ef)
805967a9 837d1801 cmp dword ptr [ebp+18h],1
805967ad 8b5508 mov edx,dword ptr [ebp+8]
805967b0 56 push esi
805967b1 8b7510 mov esi,dword ptr [ebp+10h]
805967b4 57 push edi
805967b5 8b7d14 mov edi,dword ptr [ebp+14h]
805967b8 8911 mov dword ptr [ecx],edx
805967ba 8b4d0c mov ecx,dword ptr [ebp+0Ch]
805967bd 8988642f5580 mov dword ptr nt!IoAdapterObjectType+0x1774 (80552f64)[eax],ecx
805967c3 89b0682f5580 mov dword ptr nt!IoAdapterObjectType+0x1778 (80552f68)[eax],esi
805967c9 89b86c2f5580 mov dword ptr nt!IoAdapterObjectType+0x177c (80552f6c)[eax],edi
805967cf 7418 je nt!KeAddSystemServiceTable+0x65 (805967e9)
805967d1 8990a02f5580 mov dword ptr nt!KeServiceDescriptorTable (80552fa0)[eax],edx
805967d7 8988a42f5580 mov dword ptr nt!KeServiceDescriptorTable+0x4 (80552fa4)[eax],ecx
805967dd 89b0a82f5580 mov dword ptr nt!KeServiceDescriptorTable+0x8 (80552fa8)[eax],esi
805967e3 89b8ac2f5580 mov dword ptr nt!KeServiceDescriptorTable+0xc (80552fac)[eax],edi
805967e9 5f pop edi
805967ea b001 mov al,1
805967ec 5e pop esi
805967ed eb02 jmp nt!KeAddSystemServiceTable+0x6d (805967f1)
805967ef 32c0 xor al,al
805967f1 5d pop ebp
805967f2 c21400 ret 14h
805967f5 cc int 3
805967f6 cc int 3
805967f7 cc int 3
805967f8 cc int 3
805967f9 cc int 3
So
Code: Select all
This is THE line?8059679e 8d88602f5580 lea ecx,nt!IoAdapterObjectType+0x1770 (80552f60)[eax]BTW your symbols are incorrect.
.symfix
.reload
.symfix
.reload
Ring0 - the source of inspiration
Yes, that's better ;)
Code: Select all
What is .symfix?kd> u KeAddSystemServiceTable l 10
nt!KeAddSystemServiceTable:
80596784 8bff mov edi,edi
80596786 55 push ebp
80596787 8bec mov ebp,esp
80596789 837d1803 cmp dword ptr [ebp+18h],3
8059678d 7760 ja nt!KeAddSystemServiceTable+0x6b (805967ef)
8059678f 8b4518 mov eax,dword ptr [ebp+18h]
80596792 c1e004 shl eax,4
80596795 83b8a02f558000 cmp dword ptr nt!KeServiceDescriptorTable (80552fa0)[eax],0
8059679c 7551 jne nt!KeAddSystemServiceTable+0x6b (805967ef)
8059679e 8d88602f5580 lea ecx,nt!KeServiceDescriptorTableShadow (80552f60)[eax]
805967a4 833900 cmp dword ptr [ecx],0
805967a7 7546 jne nt!KeAddSystemServiceTable+0x6b (805967ef)
805967a9 837d1801 cmp dword ptr [ebp+18h],1
805967ad 8b5508 mov edx,dword ptr [ebp+8]
805967b0 56 push esi
805967b1 8b7510 mov esi,dword ptr [ebp+10h]
Tigzy wrote:What is .symfix?.symfix (Set Symbol Store Path)
Ring0 - the source of inspiration
I have always used the KeAddSystemServiceTable method to locate the shadow table base address but there are plenty of other ways to do it as well, for example traversing threads (i.e> PsLookupThreadByThreadId) and locating a GUI thread. The address is kept in the thread's KTHREAD.ServiceTable field. Might want to validate this address range too in case it's been altered because some malware do this and redirect to a copied shadow table that contains hooked services. You can also obtain the shadow table address easily from usermode, again many ways really.
Accept nothing less than STATUS_SUCCESS
