Win + SSDT HOOK

The following refer to the hacker line of defense 2012 bound No. 294 page

In fact, nothing to say, directly on the code:

SSDT's structure, similar to Win32, but note that the pointer type here can not be substituted with ulong, if you want to replace should be used ulonglong, the reason is not said.

// Structure of SSDT struct _systemservicedescriptortable{    PVOID    servicetablebase;    PVOID    servicecountertablebase;    Ulonglong    Numberofservice;    PVOID    *psystemservicetable; Psystemservicetable keservicedescriptortable;

Gets the code for the address of the structure above;

ulonglong GetKeSeviceDescriptorTable64 () {/*The idea is to read 0xc0000082 the value of this register is the KISYSTEMCALL64 function address, and then through the signature search the SSDT signature is 0x4c8d15 and then the address value of SSDT is offset, and then through the formula: Real address = Current address + current instruction length + offset get SSDT address looks like shadow SSDT address*/Puchar startsearchaddress= (Puchar) __READMSR (0xc0000082); Puchar endsearchaddress= Startsearchaddress +0x500; Puchar I=0; UCHAR B1=0, b2 =0, B3 =0; ULONG Temp=0; Ulonglong Addr=0;  for(i = startsearchaddress; i < endsearchaddress; i++)    {        if(Mmisaddressvalid (i) && mmisaddressvalid (i +1) && Mmisaddressvalid (i +2) ) {B1= *i; B2= * (i +1); B3= * (i +2); if(B1 = =0x4c&& B2 = =0x8d&& B3 = =0x15) {memcpy (&temp, i +3,4); Addr= (ulonglong) temp + (ULONGLONG) i +7;//Plus instruction lengthKdprint (("Find SSDT is%p\n", addr)); returnaddr; }}} kdprint (("Find SSDT error\n")); return 0;}

Traverse all native API addresses:

voidthrougnallservicefuncaddr () {ULONG dwtemp=0; Pulong Servicetablebase=0; ULONG I=0;  for(i =0; I < keservicedescriptortable->numberofservice; i++)    {        if(Mmisaddressvalid (keservicedescriptortable->servicetablebase)) {Servicetablebase= (Pulong) keservicedescriptortable->servicetablebase; Dwtemp=Servicetablebase[i]; Dwtemp= Dwtemp >>4; Dbgprint ("The %dth func addr is%p!\n", I, ((ulonglong) dwtemp+ (ULONGLONG) servicetablebase) &0xffffffff0fffffff); }        Else{dbgprint ("Servicetablebase is fault!\n"); return 0; }    }}

Test results:

WinDbg View Results:

Take zwopenprocess as an example:

Ida found his ID to be 0x23, which is 35. The test result is fffff8000419b038

WinDbg results:

The test is correct.

Finally, if you want to hook it, it's easy.

Win + SSDT HOOK