Hi, everyone. I want to hook shadow ssdt in system thread. It is impossible?
http://www.kernelmode.info/forum/viewto ... =10&t=1082
No.
A forum for reverse engineering, OS internals and malware analysis
Ring0 - the source of inspiration
EP_X0FF wrote:http://www.kernelmode.info/forum/viewto ... =10&t=1082Use KeAttachProcess to attach CSRSS before hook SHADOW SSDT.
No.
Is that right?
Hello,
if you need to make changes to win32k.sys in memory (or just to read it) multiple times, you can map it into System process address space (via a MDL) so you won't need a GUI thread anymore. It might be possible to use another MDL to map the memory to the kernel area (shared in all address space). I am not sure how much safe this approach is however.
if you need to make changes to win32k.sys in memory (or just to read it) multiple times, you can map it into System process address space (via a MDL) so you won't need a GUI thread anymore. It might be possible to use another MDL to map the memory to the kernel area (shared in all address space). I am not sure how much safe this approach is however.
Vrtule wrote:Hello,Thanks a lot. I will try to do that. :lol:
if you need to make changes to win32k.sys in memory (or just to read it) multiple times, you can map it into System process address space (via a MDL) so you won't need a GUI thread anymore. It might be possible to use another MDL to map the memory to the kernel area (shared in all address space). I am not sure how much safe this approach is however.
The following routine maps a given part of kernel memory (e.g. a win32k.sys) as writable to address space of the System process. For win32k.sys, the routine must be called in the context of a GUI process.
EDIT: Nt --> Zw
Code: Select all
To find a GUI process, you can get the list of active processes (ZwQuerySystemInformation), get their EPROCESS structures (PsLookupProcessByProcessId) and look at the w32Process substructure (PsGetProcessWin32Process). The process is a GUI process if the w32Process is non-NULL (PsGetProcessWin32Process returns a non-NULL value).NTSTATUS MapWin32kPartWritable(PVOID Address, SIZE_T Size, PMDL *Mdl, PVOID *UserAddress)
{
PMDL tmpMdl = NULL;
KAPC_STATE apcState;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PVOID tmpUserAddress = NULL;
tmpMdl = IoAllocateMdl(Address, (ULONG)Size, FALSE, FALSE, NULL);
if (tmpMdl != NULL) {
MmProbeAndLockPages(tmpMdl, KernelMode, IoReadAccess);
KeStackAttachProcess(PsInitialSystemProcess, &apcState);
tmpUserAddress = MmMapLockedPagesSpecifyCache(tmpMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
KeUnstackDetachProcess(&apcState);
if (tmpUserAddress != NULL) {
*Mdl = tmpMdl;
*UserAddress = tmpUserAddress;
status = STATUS_SUCCESS;
}
if (tmpUserAddress == NULL) {
IoFreeMdl(tmpMdl);
status = STATUS_UNSUCCESSFUL;
}
} else {
status = STATUS_INSUFFICIENT_RESOURCES;
}
return status;
}
EDIT: Nt --> Zw
Vrtule wrote:The following routine maps a given part of kernel memory (e.g. a win32k.sys) as writable to address space of the System process. For win32k.sys, the routine must be called in the context of a GUI process.Thank you very much! I have solved this problem now!Code: Select allTo find a GUI process, you can get the list of active processes (ZwQuerySystemInformation), get their EPROCESS structures (PsLookupProcessByProcessId) and look at the w32Process substructure (PsGetProcessWin32Process). The process is a GUI process if the w32Process is non-NULL (PsGetProcessWin32Process returns a non-NULL value).NTSTATUS MapWin32kPartWritable(PVOID Address, SIZE_T Size, PMDL *Mdl, PVOID *UserAddress) { PMDL tmpMdl = NULL; KAPC_STATE apcState; NTSTATUS status = STATUS_UNSUCCESSFUL; PVOID tmpUserAddress = NULL; tmpMdl = IoAllocateMdl(Address, (ULONG)Size, FALSE, FALSE, NULL); if (tmpMdl != NULL) { MmProbeAndLockPages(tmpMdl, KernelMode, IoReadAccess); KeStackAttachProcess(PsInitialSystemProcess, &apcState); tmpUserAddress = MmMapLockedPagesSpecifyCache(tmpMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority); KeUnstackDetachProcess(&apcState); if (tmpUserAddress != NULL) { *Mdl = tmpMdl; *UserAddress = tmpUserAddress; status = STATUS_SUCCESS; } if (tmpUserAddress == NULL) { IoFreeMdl(tmpMdl); status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_INSUFFICIENT_RESOURCES; } return status; }
EDIT: Nt --> Zw