From: "Jeffrey Tan[MSFT]" on 24 Apr 2008 05:43 Different OS has different number of SSDT entries. Service patches or hotfixes may modify the SSDT either. This is expected. As I know, some rootkits, DRM softwares and anti-virus softwares may also add or patch the SSDT. We should not assume it as static. Thanks. Best regards, Jeffrey Tan Microsoft Online Community Support ========================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights.
From: None on 24 Apr 2008 09:16 Thanks. > Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to > a GUI process context. I remember that I was told that we should switch to > GUI process context to dump it. Anyway, I may remember incorrect. Is it because almost all the processes (in process explorer) dynamically or statically load gdi32.dll / user32.dll? and please help me with the question "Why can't I see a variable "KeServiceDescriptorTableShadow" exported from win32k.sys like KeServiceDescriptorTable variable exported from ntoskrnl.exe?" Thanks! ""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message news:8fosx4epIHA.1784(a)TK2MSFTNGHUB02.phx.gbl... > Hi, > > Thanks for your feedback. > > Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to > a GUI process context. I remember that I was told that we should switch to > GUI process context to dump it. Anyway, I may remember incorrect. > > Csrss.exe is a GUI process. Yes, it seems that it does not link with > user32.dll or gdi32.dll statically, however, it loads user32.dll, gdi32 in > its process for using(may load it dynamically). You may use Process > Explorer to examine csrss.exe process DLL View. As I know, Csrss.exe is > responsible for painting the console windows on the screen, so it > definitely needs to call GUI APIs. > > Thanks. > > Best regards, > Jeffrey Tan > Microsoft Online Community Support > ========================================= > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > This posting is provided "AS IS" with no warranties, and confers no > rights. >
From: None on 24 Apr 2008 09:24 I'm surprised to hear that a thirdy party can customized the SSDT. I know we can hook system service calls by redirecting the call from SSDT to our procedure, but I am not sure how to modify the dispatch table directly.:-) ""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message news:dZs20%23epIHA.1784(a)TK2MSFTNGHUB02.phx.gbl... > Different OS has different number of SSDT entries. Service patches or > hotfixes may modify the SSDT either. This is expected. As I know, some > rootkits, DRM softwares and anti-virus softwares may also add or patch the > SSDT. We should not assume it as static. Thanks. > > Best regards, > Jeffrey Tan > Microsoft Online Community Support > ========================================= > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > This posting is provided "AS IS" with no warranties, and confers no > rights. >
From: "Jeffrey Tan[MSFT]" on 25 Apr 2008 02:30 Hi, Thanks for your feedback. User32 is loaded by many processes because it is used by COM for marshaling, to receive device notifications, implements console windows, and many other things. Any NT native process will be built without linking against user32 or gdi32 - e.g. smss, psxss (have a look in the loaded DLLs pane for such processes in Process Explorer). The system service table that is used by a thread is a per-thread decision. The first time a thread invokes a win32k system call, it is converted to using KeServiceDescriptorTableShadow as its system service table rather than KeServiceDescriptorTable (have a look through the trap handler to see how this is done if you have source access). Both KeServiceDescriptorTable and KeServiceDescriptorTableShadow are global data in the kernel, rather than in win32k.sys. If you really want to get KeServiceDescriptorTableShadow address in code, you may take a look at the article below: "Obtaining KeServiceDescriptorTableShadow address in Windows XP Kernel mode" http://www.volynkin.com/sdts.htm Hope this helps. Best regards, Jeffrey Tan Microsoft Online Community Support ========================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights.
First
|
Prev
|
Pages: 1 2 Prev: NtCreateProcess and fork Next: How to Hook ZwReadVirtualMemory and ZwWriteVirtualMemory |