none
How get address of SSDT Shadow on Windows 10 x32? RRS feed

  • Question

  • Based in this article i'm using the following code to get address of shadow table and works perfectly from WinXP x86 until Win8.1 x86 (Operating systems that was tested), only on Win10 x86 that cannot found the address.

    #include <ntddk.h>
    #include "ntapi.h"
    
    typedef NTPROC * PNTPROC;
    
    typedef struct tag_SYSTEM_SERVICE_TABLE {
        PNTPROC   ServiceTable; // array of entry points to the calls
        int  CounterTable; // array of usage counters
        ULONG ServiceLimit; // number of table entries
        PCHAR ArgumentTable; // array of argument counts
    } SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE, **PPSYSTEM_SERVICE_TABLE;
    
    typedef struct tag_SERVICE_DESCRIPTOR_TABLE {
        SYSTEM_SERVICE_TABLE ntoskrnl; // main native API table
        SYSTEM_SERVICE_TABLE win32k; // win subsystem, in shadow table
        SYSTEM_SERVICE_TABLE sst3;
        SYSTEM_SERVICE_TABLE sst4;
    } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE, **PPSERVICE_DESCRIPTOR_TABLE;
    
    extern "C" NTOSAPI SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;
    extern "C" __declspec(dllimport) NTSTATUS NTAPI KeAddSystemServiceTable(ULONG, ULONG, ULONG, ULONG, ULONG);
    
    PSERVICE_DESCRIPTOR_TABLE __stdcall GetServiceDescriptorShadowTableAddress() {
        char * check = (char *)KeAddSystemServiceTable;
        PSERVICE_DESCRIPTOR_TABLE rc = NULL; int i;
        for (i = 0; i < 1024; i++) {
            rc = *(PPSERVICE_DESCRIPTOR_TABLE)check;
            if (!MmIsAddressValid(rc) || ((PVOID)rc == (PVOID)&KeServiceDescriptorTable)
                || (memcmp(rc, &KeServiceDescriptorTable, sizeof(SYSTEM_SERVICE_TABLE)))) {
                check++; rc = NULL;
            }
            if (rc)
                break;
        }
        return rc;
    }
    
    VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) {
        DbgPrint("DriverUnload()!\n");
        return;
    }
    
    extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
    
        NTSTATUS NtStatus = STATUS_SUCCESS;
    
        pDriverObject->DriverUnload = DriverUnload;
        DbgPrint("DriverEntry()!\n");
    
    
        PSERVICE_DESCRIPTOR_TABLE pShadow = GetServiceDescriptorShadowTableAddress();
            if (pShadow) {
    
                   DbgPrint("SSDT Shadow address found!");
            }
            else
                DbgPrint("Error: Can't get Win32k Address!\n");
    
    
    
        return NtStatus;
    }

    ntapi.h

    Searching on web, all that i found about how obtain this address was this image, but i not undertand how this suggestion can be used :-(.

    Probably, simply call assigning to pShadow variable?

    Somone can help, please?






    • Edited by FLASHCODER Tuesday, April 11, 2017 1:10 AM
    Monday, April 10, 2017 11:16 PM

All replies

  • Help with what? Why do you think knowing address of this undocumented thing is useful? 

    -- pa

    Monday, April 10, 2017 11:54 PM
  • Help with what? Why do you think knowing address of this undocumented thing is useful? 

    -- pa

    I have a code that restores SSDT and SSDT Shadow table, but not works on Win10 because not can find this address.

    Monday, April 10, 2017 11:57 PM
  • Good news. Win10 then is more resistant to tampering.

    -- pa

    Tuesday, April 11, 2017 12:39 AM
  • Good news. Win10 then is more resistant to tampering.

    -- pa

    Probably, but finding the address of this table, still is possible to modify. lf not, antivirus programs not could make it.
    Tuesday, April 11, 2017 1:00 AM
  • Why do you think AV programs modify the table.   There are some crappy ones that did it, but fortunately most of that crap is phasing out.   I did some work for security firms using the SSDT many years ago, and the only good advice I can say is if someone mucks with it crash the computer it is better than trying to fix the problem.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 11, 2017 1:22 AM
  • Why do you think AV programs modify the table.   There are some crappy ones that did it, but fortunately most of that crap is phasing out.   I did some work for security firms using the SSDT many years ago, and the only good advice I can say is if someone mucks with it crash the computer it is better than trying to fix the problem.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    @Don Burn,

    SSDT and SSDT Shadow hooking, still is very very used by AV programs ( one of main methods to protect your users) including on Win x64 with some tecnique that bypasses PatchGuard.

    My goal here, is find only ssdt shadow table address to restore these hook ( that also are applied by rootkits virus), not to hooking this table.

    I'm already able to restore SSDT table, until Win 10 x32. 
    Now is missing only ssdt shadow on Win10, but first, i need find your address.

    PS: My driver is x32, so only will work in x32 Windows.
    • Edited by FLASHCODER Tuesday, April 11, 2017 2:01 AM
    Tuesday, April 11, 2017 1:46 AM
  • Actually, most of the quality AV programs don't do crap like this.  Also, think about the fact that this is highly undocumented, and what documentation that is out there is mostly wrong (most of the undocumented system call information is from NT4 or Windows 2000, and has been obsolete for 15 years). 

    Now consider, you asked this within in a day that you needed to know how to compare strings in the kernel.   That is pretty basic stuff, but now you want to muck with some of the most challenging things in the kernel, which you have to be extremely careful and continually checking as the OS evolves to have a chance of not messing up the system as bad as any virus?   I think you need to get your basics in order, before you decide you need stuff like this.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 11, 2017 2:13 PM
  • Actually, most of the quality AV programs don't do crap like this.  Also, think about the fact that this is highly undocumented, and what documentation that is out there is mostly wrong (most of the undocumented system call information is from NT4 or Windows 2000, and has been obsolete for 15 years). 

    Now consider, you asked this within in a day that you needed to know how to compare strings in the kernel.   That is pretty basic stuff, but now you want to muck with some of the most challenging things in the kernel, which you have to be extremely careful and continually checking as the OS evolves to have a chance of not messing up the system as bad as any virus?   I think you need to get your basics in order, before you decide you need stuff like this.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Most of the quality AV programs executes hooking on ssdt and ssdt shadow tables, ex: Avast, AVG, Avira, Kaspersky and others.

    I created this topic already knowing a little that noone knew help with title of this question, even so, thank you by these answers.


    Tuesday, April 11, 2017 8:17 PM
  • Make no mistake, Don and several of us know exactly how to do this, and we won't tell you for the reasons already discussed, including that we don't want to aid junior hackers in creating more malware

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, April 11, 2017 11:48 PM
    Moderator
  • Even if your goal is totally pure, remember that Symantec and McAfee both hooked and accidently removed almost all the security from Windows.  So even if you are an expert playing with the SSDT is a great way to open the door for others.   Finally, there is a claim that one can restore the SSDT, but there are always scenarios where this will not work, and actually damage the system more than the virus.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 12, 2017 12:22 AM
  • Make no mistake, Don and several of us know exactly how to do this, and we won't tell you for the reasons already discussed, including that we don't want to aid junior hackers in creating more malware

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Since when restore ssdt is job of a malware? And if knew, already had showed in code or with steps to sucess with this goal ( get ssdt shadow address in Win10 x32 ). Don no knew not even that some of main AV use SSDT Hooking until on Win64 :D

    Ending here with comments.

    Wednesday, April 12, 2017 2:25 AM
  • Actually, I do know the approach but:

    1. It is not easy to get right
    2. It is a template for writing your own malware
    3. It is not something I encourage anyone to do.

    Accept the fact that if the SSDT is hooked, trying to fix it in a running system is just likely to break things further.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 12, 2017 11:04 AM
  • Actually, I do know the approach but:

    1. It is not easy to get right
    2. It is a template for writing your own malware
    3. It is not something I encourage anyone to do.

    Accept the fact that if the SSDT is hooked, trying to fix it in a running system is just likely to break things further.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    I not accepts nothing, you is totaly wrong about all items that you wrote above, mainly about this

    Accept the fact that if the SSDT is hooked, trying to fix it in a running system is just likely to break things further.


    • Edited by FLASHCODR Wednesday, April 12, 2017 2:28 PM
    Wednesday, April 12, 2017 2:26 PM