Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - How find SSDT Shadow address in Windows 10 x86?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How find SSDT Shadow address in Windows 10 x86?

 Post Reply Post Reply
Author
Message
flashcoder View Drop Down
Newbie
Newbie
Avatar

Joined: 06 March 2017
Status: Offline
Points: 20
Post Options Post Options   Thanks (0) Thanks(0)   Quote flashcoder Quote  Post ReplyReply Direct Link To This Post Topic: How find SSDT Shadow address in Windows 10 x86?
    Posted: 13 May 2017 at 9:54pm
Based in this article ( http://www.developersite.org/905-42385-service ) i'm using the following code to get address of shadow table and works perfectly from WinXP x86 until Win8.1 x86 (Operating systems that was tested), only on Win10 x86 that cannot found the address.

Thank you by any suggestion.


#include <ntddk.h>
#include "ntapi.h"  -> https://pastebin.com/BFwWUvmT

typedef NTPROC * PNTPROC;

typedef struct tag_SYSTEM_SERVICE_TABLE {
    PNTPROC   ServiceTable; // array of entry points to the calls
    int  CounterTable; // array of usage counters
    ULONG ServiceLimit; // number of table entries
    PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;

typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
    SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
    SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
    SYSTEM_SERVICE_TABLE sst3;
    SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;

extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);

PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
    char * check = (char *)KeAddSystemServiceTable;
    PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
    for (i = 0; i < 1024; i++) {
        rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
        if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
            || (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
            check++; rc = NULL;
        }
        if (rc)
            break;
    }
    return rc;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    DbgPrint("DriverUnload()!\n");
    return;
}

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {

    NTSTATUS NtStatus = STATUS_SUCCESS;

    pDriverObject->DriverUnload = DriverUnload;
    DbgPrint("DriverEntry()!\n");


    PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
        if (pShadow) {

               DbgPrint("SSDT Shadow address found!");
        }
        else
            DbgPrint("Error: Can't get Win32k Address!\n");



    return NtStatus;
}




Edited by flashcoder - 13 May 2017 at 9:55pm
Back to Top
wayitech View Drop Down
Newbie
Newbie


Joined: 07 September 2012
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote wayitech Quote  Post ReplyReply Direct Link To This Post Posted: 11 August 2017 at 3:22am

In my vmware windows10 32bit.

kd> dd nt!KeServiceDescriptorTable
822ea2c0  821a11e8 00000000 000001b9 821a18d0
822ea2d0  00000000 00000000 00000000 00000000
822ea2e0  a3cf3fff 00000005 ffffffff 821b4f0f
822ea2f0  00000000 00000000 00000001 00000000
822ea300  1ac466c8 01d31249 00000000 00000000
822ea310  8066f0a8 899db000 8066ab08 00001000
822ea320  00010000 7ffeffff 80000000 83800000
822ea330  7fff0000 8059f000 8061f010 00001c10
kd> dd nt!KeServiceDescriptorTableShadow
822ea280  821a11e8 00000000 000001b9 821a18d0
822ea290  90578000 00000000 00000468 90579610
822ea2a0  0000000c 00000000 00ca0f62 00000000
822ea2b0  0002625a 00001388 00000000 86bf5c0a
822ea2c0  821a11e8 00000000 000001b9 821a18d0
822ea2d0  00000000 00000000 00000000 00000000
822ea2e0  a3cf3fff 00000005 ffffffff 821b4f0f
822ea2f0  00000000 00000000 00000001 00000000

!process 0 0
switch to explorer.exe process

kd> dds 90578000 L0x3ad
90578000  90571808 win32k!NtUserGetOwnerTransformedMonitorRect
90578004  90571814 win32k!NtUserYieldTask
90578008  90571820 win32k!NtUserSetSensorPresence
9057800c  9057182c win32k!NtGdiWidenPath
90578010  90571838 win32k!NtGdiUpdateColors
90578014  90571844 win32k!NtGdiUnrealizeObject
90578018  90571850 win32k!NtGdiUnmapMemFont
9057801c  9057185c win32k!NtGdiUnloadPrinterDriver
90578020  90571868 win32k!NtGdiTransparentBlt
90578024  90571874 win32k!NtGdiTransformPoints
90578028  90571880 win32k!NtGdiSwapBuffers
9057802c  9057188c win32k!NtGdiStrokePath
90578030  90571898 win32k!NtGdiStrokeAndFillPath
90578034  905718a4 win32k!NtGdiStretchDIBitsInternal
90578038  905718b0 win32k!NtGdiStretchBlt
9057803c  905718bc win32k!NtGdiStartPage
90578040  905718c8 win32k!NtGdiStartDoc
90578044  905718d4 win32k!NtGdiSetSizeDevice
90578048  905718e0 win32k!NtGdiSetVirtualResolution
9057804c  905718ec win32k!NtGdiSetTextJustification
90578050  905718f8 win32k!NtGdiSetSystemPaletteUse

Back to Top
flashcoder View Drop Down
Newbie
Newbie
Avatar

Joined: 06 March 2017
Status: Offline
Points: 20
Post Options Post Options   Thanks (0) Thanks(0)   Quote flashcoder Quote  Post ReplyReply Direct Link To This Post Posted: 26 August 2017 at 11:34am
Solved!
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.