Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / Languages / C
 

How Can I Get the Address of KeServiceDescriptorTableShadow

3.67/5 (4 votes)
26 May 2008CPOL 1   198  
Explain how to get the address of KeServiceDescriptorTableShadow

Introduction

This article shows how to get the address of KeServiceDescriptorTableShadow kernel variable. This variable is used to add new system services to kernel, or hook an existing system service. Unfortunately, it is not exported by ntoskrnl.exe, so we have to get its address manually.

Background

Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of KeServiceDescriptorTable variable. Please see the following section.

Using the Code

The type of two variables is SERVICE_DESCRIPTOR_TABLE structure. This structure is defined as follows:

C++
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
 PULONG  ServiceTable;  	// array of entry-points
 PULONG  puCounterTable;  	// array of counters
 ULONG  uTableSize;   	// number of table entries
 PUCHAR  pbArgumentTable; 	// array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

The first part of KeServiceDescriptorTableShadow is the same as KeServiceDescriptorTable. And so we could get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable. In different version of Windows, this address is different.

This function retrieves its address in different version of Windows.

C++
PSERVICE_DESCRIPTOR_TABLE QuerySDTShadow()
{
 ULONG Index;
 PUCHAR SDTShadow;
 UONG MajorVersion, MinorVersion, BuildNumber;
 UNICODE_STRING &CSDVersion;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 __try
 {
  if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
  else // Windows 2000, or Windows Vista
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
  for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
  {
   KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
    continue;
   if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
    && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
   {
    return (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   }
  }
  return NULL;
 }
 __except(1)
 {
  return NULL;
 }
}

This code was tested in various environments, but you must use it carefully.

History

  • 26th May, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2008 by Try and try
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-20:1