0

Based in this article i'm using the following code to get address of shadow table and works perfectly from WinXP x86 until Win8.1 x86 (Operating systems that was tested), only on Win10 x86 that cannot found the address.

#include <ntddk.h>
#include "ntapi.h"

typedef NTPROC * PNTPROC;

typedef struct tag_SYSTEM_SERVICE_TABLE {
    PNTPROC   ServiceTable; // array of entry points to the calls
    int  CounterTable; // array of usage counters
    ULONG ServiceLimit; // number of table entries
    PCHAR ArgumentTable; // array of argument counts
} SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;

typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
    SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
    SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
    SYSTEM_SERVICE_TABLE sst3;
    SYSTEM_SERVICE_TABLE sst4;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;

extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);

PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
    char * check = (char *)KeAddSystemServiceTable;
    PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
    for (i = 0; i < 1024; i++) {
        rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
        if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
            || (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
            check++; rc = NULL;
        }
        if (rc)
            break;
    }
    return rc;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    DbgPrint("DriverUnload()!\n");
    return;
}

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {

    NTSTATUS NtStatus = STATUS_SUCCESS;

    pDriverObject->DriverUnload = DriverUnload;
    DbgPrint("DriverEntry()!\n");


    PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
        if (pShadow) {

               DbgPrint("SSDT Shadow address found!");
        }
        else
            DbgPrint("Error: Can't get Win32k Address!\n");



    return NtStatus;
}

ntapi.h

Somone can help, please?

  • Searching on web, all that i found about how obtain this address was [this image](https://twitter.com/infexia/status/621599020780265472), but i not undertand how this suggestion can be used :-(. Someone can help? –  Jun 02 '17 at 01:35
  • Ahh, the joys of using undocumented information. I *do* hope you're not creating a rootkit :-) – paxdiablo Jun 02 '17 at 01:38
  • This not is to a rootkit, but to a anti rootkit :-) –  Jun 02 '17 at 02:14

0 Answers0