From: "Jeffrey Tan[MSFT]" on
Different OS has different number of SSDT entries. Service patches or
hotfixes may modify the SSDT either. This is expected. As I know, some
rootkits, DRM softwares and anti-virus softwares may also add or patch the
SSDT. We should not assume it as static. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

From: None on
Thanks.

> Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to
> a GUI process context. I remember that I was told that we should switch to
> GUI process context to dump it. Anyway, I may remember incorrect.

Is it because almost all the processes (in process explorer) dynamically or
statically load gdi32.dll / user32.dll?

and please help me with the question "Why can't I see a variable
"KeServiceDescriptorTableShadow" exported from win32k.sys like
KeServiceDescriptorTable variable exported from ntoskrnl.exe?" Thanks!

""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message
news:8fosx4epIHA.1784(a)TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thanks for your feedback.
>
> Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to
> a GUI process context. I remember that I was told that we should switch to
> GUI process context to dump it. Anyway, I may remember incorrect.
>
> Csrss.exe is a GUI process. Yes, it seems that it does not link with
> user32.dll or gdi32.dll statically, however, it loads user32.dll, gdi32 in
> its process for using(may load it dynamically). You may use Process
> Explorer to examine csrss.exe process DLL View. As I know, Csrss.exe is
> responsible for painting the console windows on the screen, so it
> definitely needs to call GUI APIs.
>
> Thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg(a)microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>


From: None on
I'm surprised to hear that a thirdy party can customized the SSDT. I know we
can hook system service calls by redirecting the call from SSDT to our
procedure, but I am not sure how to modify the dispatch table directly.:-)

""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message
news:dZs20%23epIHA.1784(a)TK2MSFTNGHUB02.phx.gbl...
> Different OS has different number of SSDT entries. Service patches or
> hotfixes may modify the SSDT either. This is expected. As I know, some
> rootkits, DRM softwares and anti-virus softwares may also add or patch the
> SSDT. We should not assume it as static. Thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg(a)microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>


From: "Jeffrey Tan[MSFT]" on
Hi,

Thanks for your feedback.

User32 is loaded by many processes because it is used by COM for
marshaling, to receive device notifications, implements console windows,
and many other things. Any NT native process will be built without linking
against user32 or gdi32 - e.g. smss, psxss (have a look in the loaded DLLs
pane for such processes in Process Explorer).

The system service table that is used by a thread is a per-thread decision.
The first time a thread invokes a win32k system call, it is converted to
using KeServiceDescriptorTableShadow as its system service table rather
than KeServiceDescriptorTable (have a look through the trap handler to see
how this is done if you have source access).

Both KeServiceDescriptorTable and KeServiceDescriptorTableShadow are global
data in the kernel, rather than in win32k.sys.

If you really want to get KeServiceDescriptorTableShadow address in code,
you may take a look at the article below:
"Obtaining KeServiceDescriptorTableShadow address in Windows XP Kernel mode"
http://www.volynkin.com/sdts.htm

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.