System Service scheduling table ssdt and sssdt shadow

Last Update:2018-12-04 Source: Internet

Author: User

Tags ssdt

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

System Service: A group of functions (kernel functions) provided by the operating system. APIs can call system services indirectly or directly. The operating system provides APIs in the form of dynamic link library (DLL.
Ssdt: System Service dispatch table, which can be indexed based on the system service number to locate the Function Memory Address.
Sspt: System Service parameter table, which specifies the number of participating digital segments of system service functions.
The system has two ssdt tables, and tables are not exported ). Functions contained in tables and win32k. sys. Generally, the native API function address in Ntdll. dll is assigned by keservicedescriptortable, and the kernel API call service address of GDI. dll/user. dll is assigned by keserviedescriptortableshadow.

The core service implemented by ingress also contains a pointer pointing to sspt.
The structure of keservicedescriptortable is as follows:
Typedef struct _ servicedescriptorentry {
Unsigned int * servicetablebase; // ssdt base address
Unsigned int * servicecountertablebase; // counter of the number of times a service is called in ssdt
Unsigned int numberofservices; // Number of ssdt services
Unsigned char * paramtablebase; // sspt base address
} Ssdt, * pssdt;

The following is an experiment in windbg:
Lkd> dd keservicedescriptortable // export the table
80563520 804e58b0 00000000 0000011c 805120cc
80563530 00000000 00000000 00000000 00000000
80563540 00000000 00000000 00000000 00000000
80563550 00000000 00000000 00000000 00000000
80563560 00000002 00002710 bf80c339 00000000
80563570 baecda80 f753c4a0 8a09655c 807120c0
80563580 00000000 00000000 ffea8ad6 ffffffff
80563590 52841216 01ca0418 00000000 00000000
Lkd> dd 804e58b0 // ssdt base address
804e58b0 80591bfb 80585358 805e1f35 805dbc4a
804e58c0 805e1fbc 80640ce4 80642e75 80642ebe
804e58d0 805835aa 80347be3 806404a3 805e1787
804e58e0 806387ba 80586fa3 805e08e8 8062f462
804e58f0 805d9781 80571edd 805e8258 805e939e
804e5900 804e5ec4 80347bcf 805cd537 804ed822

Lkd> dd 805120cc // sspt base address
805120cc 2c2c2018 44402c40 1818080c 0c040408
805120dc 08081810 0808040c 080c0404 2004040c
805120ec 140c1008 0c102c0c 10201c0c 20141038
805120fc 141c2424 34102010 080c0814 04040404
8051210c 0428080c 1808181c 1808180c 040c080c
8051211c 100c00010 10080828 0c08041c 00081004
8051212c 0c080408 10040828 0c0c0404 28240428
8051213c 0c0c0c30 0c0c0c6 0c10300c 0c0c0c10

2)keservicedescriptortableshadowis another table not imported by the internal kernel, including ntoskrnel.exe and win32k. sys service functions. Some online games use functions related to hook keys (ntusersendinput) to prevent analog keys and (ntuserfinddomainwex) to prevent searching windows and anti_virus from being closed by hook window functions (ntuserpostmessage and ntuserquerywindow. Keservicedescriptortableshadow is actually an array of ssdt structures, that is, keservicedescriptortableshadow is a group of System Description tables. The number of groups in XP SP3 is 4. In the XP system, the keservicedescriptortableshadow table is located at the top of the keservicedescriptortable table, with an offset of 0x40.
The following is an experiment conducted by windbg:
Lkd> dd keservicedescriptortableshadow
805634e0 804e58b0 00000000 0000011c 805120cc // ssdt table ntoskrnel.exe
805634f0 bf99a000 00000000 0000029b bf99ad10 // ssdt shdow table win32k. sys
80563500 00000000 00000000 00000000 00000000
80563510 00000000 00000000 00000000 00000000
80563520 804e58b0 00000000 0000011c 805120cc // keservicedescriptortable
80563530 00000000 00000000 00000000 00000000
80563540 00000000 00000000 00000000 00000000
80563550 00000000 00000000 00000000 00000000
Because the keservicedescriptortableshadow table is not exported, We need to locate the address.
The idea of locating unexported functions and structures is to use exported functions and structures to search for memory space in a brute force manner.
Method 1: Based on the address of the keservicedescriptortable and the offset between the two
Method 2: Search for the keaddsystemservicetable export Function
Method 3: Search for the servicetable pointing of a thread
Method 4. MJ's proposed search for valid memory addresses

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More