SSDT and ssdt

SSDT and ssdt

SSDT (system service dispatch table) system service dispatch table

SSPT (system service parameter table) system service parameter table

 

# PragmaPack (1) // SSDT table structure

Typedef structServiceDescriptorEntry {
Unsigned int* ServiceTableBase;
Unsigned int* ServiceCounterTableBase; // Used only in checked build
Unsigned intNumberOfServices;
Unsigned char* ParamTableBase;
} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t;

# PragmaPack ()

 

Function call Process Analysis:

(1) The user calls ReadFile in kenel32.dll, and kenel32.dll contains all packaging functions. kenel32.dll uses these packaging functions to check the parameter validity, convert everything to unicode, and then lock NTDLL. the NtReadFile function in dll.

(2) NTDLL. dll is a service packaging function. When the NtReadFile is called, these service packaging functions send the required Servcie ID to the EAX register, and send the pointer of the parameter stack frame to the EDX register, then the INT 2e interrupt is triggered. This command will switch the processor to the kernel mode. The processing program corresponding to INT 2e is established by windows NT executive (probably the kernel), which copies parameters from the user mode stack to the kernel mode stack. The base address of the stack frame is the value of the EDX register. This interrupt program is called KiSystemService ()

(3) when accessing the internal kernel, ntoskrnl.exe starts to work, And it performs the final call of the system service.User InterfaceProvided in the form of wrapper functions. These functions are all in a DLL called NTDLL. dll. NTOSKNL. EXE is initialized first. during initialization, an SSDT function table is created for different services provided by NTOSKRNL. Each item in the table specifies the address of the function required by the Service ID, each function code is in the kernel. Similarly, SSPT is also created.

 

The diagram is as follows:

The structure of the two tables is as follows:

 

Ssdt hook explanation:The ssdt hook is implemented by modifying the function address of the SSDT table. The following are the macros for the three related operations.

// Obtain the position of the function in SSDT. The following is a fixed calculation method.
# Define SYSTEMSERVICE (_ function) KeServiceDescriptorTable. ServiceTableBase [* (PULONG) (PUCHAR) _ function + 1)]

// Retrieve the index of the function, fixed mode
# Define SYSCALL_INDEX (_ Function) * (PULONG) (PUCHAR) _ Function + 1)

// Modify the function address
# Define HOOK_SYSCALL (_ Function, _ Hook, _ Orig) _ Orig = (PVOID) InterlockedExchange (PLONG) & m_Mapped [SYSCALL_INDEX (_ Function)], (LONG) _ Hook)

 

Other operations are written as drivers. The principle is to modify the SSDT table and replace the original functions with your own functions for process protection or other purposes.

 

Refer to: untitled ented Windows NT, line of defense magazine 2010.9, and line of defense driver tutorial.

If you want to learn more, you can refer to the above articles. You can find them on the Internet.