原创 Obtaining KeServiceDescriptorTableShadow address

In Windows NT based operating system every
system call originated in user mode which is to be processed
by the system抯 kernel must go through the gate to the kernel
itself where it would be dispatched and executed. This gate
is an interrupt INT 2Eh. While on the user side library
ntdll.dll handles a system call, after passing the gate
ntoskrnl.exe takes over invoking an internal function KiSystemService()
and passing the original system call into it. Then, KiSystemService
uses a lookup table for the information on which Native
API call to assign the original call to. This lookup table
is called System Service Table (SST), it has the following
structure:

typedef NTSTATUS (NTAPI * NTPROC) ();
typedef NTPROC * PNTPROC;
#define NTPROC_ sizeof (NTPROC)

typedef struct _SYSTEM_SERVICE_TABLE
{
	PNTPROC	ServiceTable; // array of entry points to the calls 
	PDWORD	CounterTable; // array of usage counters 
	DWORD	ServiceLimit;   // number of table entries 
	PBYTE	ArgumentTable; // array of arguments
}
	SYSTEM_SERVICE_TABLE, 
	*PSYSTEM_SERVICE_TABLE, 
	**PP SYSTEM_SERVICE_TABLE; 

System Service Table itself is a member
of another structure called Service Descriptor Table:

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
	SYSTEM_SERVICE_TABLE ntoskrnl; //SST used by ntoskrnl.exe - Native API
	SYSTEM_SERVICE_TABLE win32k; // SST used by win32k.sys - gdi/user support
	SYSTEM_SERVICE_TABLE Table3; // reserved
	SYSTEM_SERVICE_TABLE Table4; // reserved
}
	SERVICE_DESCRIPTOR_TABLE, 
	*PSERVICE_DESCRIPTOR_TABLE, 
	**PPSERVICE_DESCRIPTOR_TABLE;

System Service Table structure is used
by two different handles in the Kernel:

• 
  
  KeServiceDescriptorTable()
  
  
• 
  
  KeServiceDescriptorTableShadow()
  
  

While KeServiceDescriptorTable is readily available
for kernel mode drivers to access, KeServiceDescriptorTableShadow
is not. Moreover, KeServiceDescriptorTable does not have the
System Service Table for win32k calls support.

Unfortunately, different versions of Windows
NT have these two tables placed in different order. For
example, on Windows 2000, KeServiceDescriptorTableShadow
follows immediately after KeServiceDescriptorTable, while
on Windows XP it appears right before KeServiceDescriptorTable.

Several different ways have been proposed to
obtain the correct address of the Shadow table. In this example
I shall demonstrate an approach to obtain the KeServiceDescriptorTableShadow
address on Windows 2000 and Windows XP (incl. SP1) operating
systems.

The idea behind this method (originally introduced
in the book Undocumented Windows NT) is to use a function
called KeAddSystemServiceTable as an indicator. This function
is used by win32k.sys and therefore it just has to address
the Shadow table since KeServiceDescriptorTable does not
support win32k calls. Another assumption to be made is that
the first entry in both KeServiceDescriptorTable and KeServiceDescriptorTableShadow
is the same. Since it is relatively simple to obtain the
address of KeServiceDescriptorTable, we may try to compare
its first entry with the one obtained from KeAddSystemServiceTable.
If they match, we consider the corresponding address to
be the correct address of KeServiceDescriptorTableShadow.
There is no guaranty that the very first valid address,
produced by KeAddSystemServiceTable will match, thus we
have to go through several addresses to find the right one.

The following code shows a correct solution
for obtaining a KeServiceDescriptorTableShadow address on
windows XP, it will work for a kernel mode device driver:

/* 
define structure for the system service table
*/ 
struct SYS_SERVICE_TABLE { 
void **ServiceTable; 
unsigned long CounterTable; 
unsigned long ServiceLimit; 
void **ArgumentsTable; 
}; 
/* 
Define KeServiceDescriptorTable based on the SST structure 
*/ 
extern struct SYS_SERVICE_TABLE *KeServiceDescriptorTable; 
/*
Declare function GetServiceDescriptorShadowTableAddress() 
*/
static struct SYS_SERVICE_TABLE * GetServiceDescriptorShadowTableAddress (); 
/* 
Declare the KeAddSystemServiceTable. This is just a 
handle to the call function, it will be used by the function 
above to obtain the correct address of the KeServiceDescriptorShadowTable 
*/ 
__declspec(dllimport) KeAddSystemServiceTable (ULONG, ULONG, ULONG, ULONG, ULONG); 
static struct SYS_SERVICE_TABLE * GetServiceDescriptorShadowTableAddress ()
{ 
	// First, obtain a pointer to KeAddSystemServiceTable
	unsigned char *check = (unsigned char*)KeAddSystemServiceTable; 
	int i;
 	//Initialize an instance of System Service Table, will be used to
	//obtain an address from KeAddSystemServiceTable
struct SYS_SERVICE_TABLE *rc=0; 
// Make 100 attempts to match a valid address with that of KeServiceDescriptorTable 
	for (i=0; i<=99; i++) { 
__try { 
// try to obtain an address from  KeAddSystemServiceTable 
			rc = *(struct SYS_SERVICE_TABLE**)check; 
// if this address is NOT valid OR it itself is the address of 
//KeServiceDescriptorTable OR its first entry is NOT equal 
//to the first entry of KeServiceDescriptorTable 
if (!MmIsAddressValid (rc) || (rc == KeServiceDescriptorTable) 
				|| (memcmp (rc, KeServiceDescriptorTable, sizeof (*rc)) != 0)) { 
// Proceed with the next address 
					check++; 
// don't forget to reset the old address 
					rc = 0; 
			} 
		} __except (EXCEPTION_EXECUTE_HANDLER) { rc = 0; } 
// when the loop is completed, check if it produced a valid address 
if (rc) 
// because if it didn't, we failed to find the address of KeServiceDescriptorTableShadow 
break; 
	} 
// otherwise, there is a valid address! So return it! 
return rc; 
} 

Note, that if you by some reason failed to
find the correct address, your number of iterations (100
in my example) was not enough. Try to increase it slightly,
I would not recommend to have the number of iterations larger
than 4096, if you failed again even with the number that
high, there are definitely other problems, most likely the
assumptions mentioned above are no longer true for the operation
system you use.

To call this function, simply create a new
pointer to System Service Table with the same structure the
function returns its address with, and then assign this address
to it:

/*
define structure for the system service table
*/
struct SYS_SERVICE_TABLE {
void **ServiceTable;
unsigned long CounterTable; 
unsigned long ServiceLimit; 
void **ArgumentsTable; 
}; 

static struct  SYS_SERVICE_TABLE *ShadowTable; 
ShadowTable = GetServiceDescriptorShadowTableAddress(); 

Needless to say, that all these tricks can only be done with administrator rights. More over,
if you plan to continue manipulating KeServiceDescriptorTableShadow, you will also need to enable
Debug Privileges, even for the administrator.