Click here to Skip to main content
8,905,383 members and growing!
  
Email Password   Lost password?
Search within:



add
Add to your CodeProject bookmarks
Print Article
Site map
 » General Programming » Programming Tips » General
Licence CPOL
First Posted 26 May 2008
Views 13,425
Downloads 56
Bookmarked 11 times

How Can I Get the Address of KeServiceDescriptorTableShadow

By | 26 May 2008 | Article
Explain how to get the address of KeServiceDescriptorTableShadow
ArticleBrowse CodeStatsRevisions (2)Alternatives
  Discuss
Discuss this article
 4  

Introduction

This article shows how to get the address of KeServiceDescriptorTableShadow kernel variable. This variable is used to add new system services to kernel, or hook an existing system service. Unfortunately, it is not exported by ntoskrnl.exe, so we have to get its address manually.

Background

Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of KeServiceDescriptorTable variable. Please see the following section.

Using the Code

The type of two variables is SERVICE_DESCRIPTOR_TABLE structure. This structure is defined as follows:

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
 PULONG  ServiceTable;  	// array of entry-points
 PULONG  puCounterTable;  	// array of counters
 ULONG  uTableSize;   	// number of table entries
 PUCHAR  pbArgumentTable; 	// array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

The first part of KeServiceDescriptorTableShadow is the same as KeServiceDescriptorTable. And so we could get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable. In different version of Windows, this address is different.

This function retrieves its address in different version of Windows.

PSERVICE_DESCRIPTOR_TABLE QuerySDTShadow()
{
 ULONG Index;
 PUCHAR SDTShadow;
 UONG MajorVersion, MinorVersion, BuildNumber;
 UNICODE_STRING &CSDVersion;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 __try
 {
  if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
  else // Windows 2000, or Windows Vista
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
  for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
  {
   KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
    continue;
   if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
    && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
   {
    return (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   }
  }
  return NULL;
 }
 __except(1)
 {
  return NULL;
 }
}

This code was tested in various environments, but you must use it carefully.

History

  • 26th May, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Try and try

Software Developer (Senior)

China China

Member

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board. (secure sign-in)
 
Search this forum  
 FAQ
    Noise  Layout  Per page   
  RefreshFirst Prev Next
BugThis code doesn't compile Pinmemberben_staniford23:19 25 Oct '11  
GeneralRe: This code doesn't compile PinmemberTry and try4:51 1 Nov '11  
GeneralI don't get it PinmemberJim Crafton8:05 27 May '08  
Why would you need this? There are already established APIs for adding a system service. What does this give you beyond potentially adding instability into the system/kernel? And isn't it a a bit of a warning flag that the function you wan't *isn't* exported?
 
¡El diablo está en mis pantalones! ¡Mire, mire!
 
Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)!
 
SELECT * FROM User WHERE Clue > 0
0 rows returned

Save an Orange - Use the VCF!
VCF Blog
Sign In·View Thread·Permalink3.25/5 (3 votes)
GeneralRe: I don't get it PinmemberLiro90007:15 1 Mar '10  
Last Visit: 12:11 4 Jun '12     Last Update: 8:11 4 Jun '12 1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Mobile
Web02 | 2.5.120604.1 | Last Updated 26 May 2008
Article Copyright 2008 by Try and try
Everything else Copyright © CodeProject, 1999-2012
Terms of Use
Layout: fixed | fluid

The Code Project Insider. Free each morning.
Http 500 Error resolution
ScrollBar Control with Different Visual Style using VB.NET 2008
Iterating through menustrip items
Mocking the generic repository
LINQ on the command-line
Stored Procedure Data Gateway
8-Puzzle solving using the A* algorithm using Python and PyGame
Simple C Hashtable
User Feedback For Long Running Tasks in ASP.NET
Authoring Documentation with DocProject and Sandcastle
ASP.NET automatic Object to UI Binding
Logging information in Oracle
Using DataPlotter implementing three kinds of Scan-converting Line Segments algorithm
Dynamically Pointing to Shared Data Sources on SQL Reporting Services using a Report Definition Customization Extension (RDCE)
Design the WCF service without implementing interface
Snail Run For Windows Phone
Merge DataGrid Header
NodeJS REST server trials to validate effective scripting
Wcf.js: Call WCF web services from Node.js
How To Lock Device Screen For Windows Mobile
A new version of my 3D asteroid game in OpenGL with C#