Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - How find SSDT Shadow address in Windows 10 x86?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How find SSDT Shadow address in Windows 10 x86?

 Post Reply Post Reply
Author
Message
flashcoder View Drop Down
Newbie
Newbie
Avatar

Joined: 06 March 2017
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote flashcoder Quote  Post ReplyReply Direct Link To This Post Topic: How find SSDT Shadow address in Windows 10 x86?
    Posted: 13 May 2017 at 9:54pm
Based in this article ( http://www.developersite.org/905-42385-service ) i'm using the following code to get address of shadow table and works perfectly from WinXP x86 until Win8.1 x86 (Operating systems that was tested), only on Win10 x86 that cannot found the address.

Thank you by any suggestion.


#include <ntddk.h>
#include "ntapi.h"  -> https://pastebin.com/BFwWUvmT

typedef NTPROC * PNTPROC;

typedef struct tag_SYSTEM_SERVICE_TABLE {
    PNTPROC   ServiceTable; // array of entry points to the calls
    int  CounterTable; // array of usage counters
    ULONG ServiceLimit; // number of table entries
    PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;

typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
    SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
    SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
    SYSTEM_SERVICE_TABLE sst3;
    SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;

extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);

PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
    char * check = (char *)KeAddSystemServiceTable;
    PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
    for (i = 0; i < 1024; i++) {
        rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
        if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
            || (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
            check++; rc = NULL;
        }
        if (rc)
            break;
    }
    return rc;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    DbgPrint("DriverUnload()!\n");
    return;
}

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {

    NTSTATUS NtStatus = STATUS_SUCCESS;

    pDriverObject->DriverUnload = DriverUnload;
    DbgPrint("DriverEntry()!\n");


    PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
        if (pShadow) {

               DbgPrint("SSDT Shadow address found!");
        }
        else
            DbgPrint("Error: Can't get Win32k Address!\n");



    return NtStatus;
}




Edited by flashcoder - 13 May 2017 at 9:55pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.