CodeProject: How Can I Get the Address of KeServiceDescriptorTableShadow. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

7 votes for this article.

Popularity: 2.20 Rating: 2.60 out of 5

Download source - 711 B

Introduction

This article shows how to get the address of KeServiceDescriptorTableShadow kernel variable. This variable is used to add new system services to kernel, or hook an existing system service. Unfortunately, it is not exported by ntoskrnl.exe, so we have to get its address manually.

Background

Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of KeServiceDescriptorTable variable. Please see the following section.

Using the Code

The type of two variables is SERVICE_DESCRIPTOR_TABLE structure. This structure is defined as follows:

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
 PULONG  ServiceTable;  	// array of entry-points
 PULONG  puCounterTable;  	// array of counters
 ULONG  uTableSize;   	// number of table entries
 PUCHAR  pbArgumentTable; 	// array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

The first part of KeServiceDescriptorTableShadow is the same as KeServiceDescriptorTable. And so we could get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable. In different version of Windows, this address is different.

This function retrieves its address in different version of Windows.

PSERVICE_DESCRIPTOR_TABLE QuerySDTShadow()
{
 ULONG Index;
 PUCHAR SDTShadow;
 UONG MajorVersion, MinorVersion, BuildNumber;
 UNICODE_STRING &CSDVersion;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 __try
 {
  if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
  else // Windows 2000, or Windows Vista
   SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
  for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
  {
   KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
    continue;
   if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
    && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
   {
    return (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
   }
  }
  return NULL;
 }
 __except(1)
 {
  return NULL;
 }
}

This code was tested in various environments, but you must use it carefully.

History

26^th May, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Try and try

Member

Occupation:	Software Developer (Senior)
Location:	China

How Can I Get the Address of KeServiceDescriptorTableShadow