From: None on 22 Apr 2008 11:35 Greeting, I know how to dump IDT with !idt -a command in kernel debugger. But how can I dump SSDT, e.g. KeServiceDescriptorTable which is located in ntoskrnl? I think I can do it programmatically with an undocumented method KeServiceDescriptorTable exported by NTOSKRNL. So my first question is, would you write a code snippet for me to use KeServiceDescriptorTable to dump the table? My second question is how can I dump the table with kernel debugger? Thanks
From: "Jeffrey Tan[MSFT]" on 22 Apr 2008 23:22 Hi, Yes, to dump SSDT programmatically, we may get the KeServiceDescriptorTable variable exported by ntoskrnl.exe and parse the structure. I find my original learning code snippet of dumping SSDT, however, I did not verify it correctness yet, for your information: #include "ntddk.h" typedef struct _SSDT_Entry { unsigned int * ServiceDispatchTableBase; unsigned int * ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char * ServiceParameterTableBase; }SSDT_Entry; __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable; VOID OnUnload(IN PDRIVER_OBJECT theDriverObj) { DbgPrint("OnUnload called\n"); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING theRegistryPath) { int i=0, ServiceHandlerAddr; char ParamNum; DbgPrint("DriverEntry called\n"); theDriverObj->DriverUnload = OnUnload; DbgPrint("SSDT service number %d\n", KeServiceDescriptorTable.NumberOfServices); for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++) { ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i]; ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i]; DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i, ServiceHandlerAddr, ParamNum); } return STATUS_SUCCESS; } To dump the SSDT in kernel debugger, it is pretty easy, do it like this: 0: kd> dps nt!KeServiceDescriptorTable l4 808aeee0 8083fc4c nt!_KiServiceTable 808aeee4 00000000 808aeee8 00000128 808aeeec 80803618 nt!KiArgumentTable // Get the SSDT entries count "0x128" from the output above 0: kd> dps nt!_KiServiceTable l128 .... output .... If you want to dump the Win32k.sys service table, you have to first switch the process context to a GUI process. Like this: 0: kd> !process 0 0 csrss.exe PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid: 0170 DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527. Image: csrss.exe 0: kd> dps nt!KeServiceDescriptorTableShadow l8 808aeec0 8083fc4c nt!_KiServiceTable 808aeec4 00000000 808aeec8 00000128 808aeecc 80803618 nt!KiArgumentTable 808aeed0 bf9a2000 win32k!W32pServiceTable 808aeed4 00000000 808aeed8 00000299 808aeedc bf9a2d08 win32k!W32pArgumentTable // Get the entries count "0x299" from the output above 0: kd> dps win32k!W32pServiceTable l299 Hope this helps. Best regards, Jeffrey Tan Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
From: None on 23 Apr 2008 12:47 Thanks, but it's weird that my computer shows kd> dps nt!KeServiceDescriptorTable L4 808a6380 89ca0ad8 nt!KiServiceTable 808a6384 00000000 808a6388 00000149 808a638c 896e1eb0 I have 0x149 services in KeServiceDescriptorTable but you have only 0x128 ""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message news:R3oX8EPpIHA.2252(a)TK2MSFTNGHUB02.phx.gbl... > Hi, > > Yes, to dump SSDT programmatically, we may get the > KeServiceDescriptorTable > variable exported by ntoskrnl.exe and parse the structure. I find my > original learning code snippet of dumping SSDT, however, I did not verify > it correctness yet, for your information: > > #include "ntddk.h" > > typedef struct _SSDT_Entry > { > unsigned int * ServiceDispatchTableBase; > unsigned int * ServiceCounterTableBase; > unsigned int NumberOfServices; > unsigned char * ServiceParameterTableBase; > }SSDT_Entry; > > __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable; > > VOID OnUnload(IN PDRIVER_OBJECT theDriverObj) > { > DbgPrint("OnUnload called\n"); > } > > NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING > theRegistryPath) > { > int i=0, ServiceHandlerAddr; > char ParamNum; > DbgPrint("DriverEntry called\n"); > theDriverObj->DriverUnload = OnUnload; > > DbgPrint("SSDT service number %d\n", > KeServiceDescriptorTable.NumberOfServices); > for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++) > { > ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i]; > ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i]; > DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i, > ServiceHandlerAddr, ParamNum); > } > > return STATUS_SUCCESS; > } > > To dump the SSDT in kernel debugger, it is pretty easy, do it like this: > > 0: kd> dps nt!KeServiceDescriptorTable l4 > 808aeee0 8083fc4c nt!_KiServiceTable > 808aeee4 00000000 > 808aeee8 00000128 > 808aeeec 80803618 nt!KiArgumentTable > > // Get the SSDT entries count "0x128" from the output above > 0: kd> dps nt!_KiServiceTable l128 > ... > output > ... > > If you want to dump the Win32k.sys service table, you have to first switch > the process context to a GUI process. Like this: > > 0: kd> !process 0 0 csrss.exe > PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid: > 0170 > DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527. > Image: csrss.exe > > 0: kd> dps nt!KeServiceDescriptorTableShadow l8 > 808aeec0 8083fc4c nt!_KiServiceTable > 808aeec4 00000000 > 808aeec8 00000128 > 808aeecc 80803618 nt!KiArgumentTable > 808aeed0 bf9a2000 win32k!W32pServiceTable > 808aeed4 00000000 > 808aeed8 00000299 > 808aeedc bf9a2d08 win32k!W32pArgumentTable > > // Get the entries count "0x299" from the output above > 0: kd> dps win32k!W32pServiceTable l299 > > Hope this helps. > > Best regards, > Jeffrey Tan > Microsoft Online Community Support > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > ================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. >
From: None on 23 Apr 2008 13:11 1. Why do I need to "switch the process context to a GUI process"? I don't think the GUI process is csrss.exe. I launched Depends Walker on csrss and find it depends on ntdll.dll and csrsrv.dll. I think the GDI apis should be in user32.dll or Gdi32.dll, and the corresponding kernel part is win32k.sys. In addition, I find if I do not run your command "!process 0 0 csrss.exe", I'm still able to get the same output: > 808aeec0 8083fc4c nt!_KiServiceTable > 808aeec4 00000000 > 808aeec8 00000128 > 808aeecc 80803618 nt!KiArgumentTable > 808aeed0 bf9a2000 win32k!W32pServiceTable > 808aeed4 00000000 > 808aeed8 00000299 > 808aeedc bf9a2d08 win32k!W32pArgumentTable 2. Why can't I see a variable "KeServiceDescriptorTableShadow" exported from win32k.sys like KeServiceDescriptorTable variable exported from ntoskrnl.exe? ""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message news:R3oX8EPpIHA.2252(a)TK2MSFTNGHUB02.phx.gbl... > Hi, > > Yes, to dump SSDT programmatically, we may get the > KeServiceDescriptorTable > variable exported by ntoskrnl.exe and parse the structure. I find my > original learning code snippet of dumping SSDT, however, I did not verify > it correctness yet, for your information: > > #include "ntddk.h" > > typedef struct _SSDT_Entry > { > unsigned int * ServiceDispatchTableBase; > unsigned int * ServiceCounterTableBase; > unsigned int NumberOfServices; > unsigned char * ServiceParameterTableBase; > }SSDT_Entry; > > __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable; > > VOID OnUnload(IN PDRIVER_OBJECT theDriverObj) > { > DbgPrint("OnUnload called\n"); > } > > NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING > theRegistryPath) > { > int i=0, ServiceHandlerAddr; > char ParamNum; > DbgPrint("DriverEntry called\n"); > theDriverObj->DriverUnload = OnUnload; > > DbgPrint("SSDT service number %d\n", > KeServiceDescriptorTable.NumberOfServices); > for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++) > { > ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i]; > ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i]; > DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i, > ServiceHandlerAddr, ParamNum); > } > > return STATUS_SUCCESS; > } > > To dump the SSDT in kernel debugger, it is pretty easy, do it like this: > > 0: kd> dps nt!KeServiceDescriptorTable l4 > 808aeee0 8083fc4c nt!_KiServiceTable > 808aeee4 00000000 > 808aeee8 00000128 > 808aeeec 80803618 nt!KiArgumentTable > > // Get the SSDT entries count "0x128" from the output above > 0: kd> dps nt!_KiServiceTable l128 > ... > output > ... > > If you want to dump the Win32k.sys service table, you have to first switch > the process context to a GUI process. Like this: > > 0: kd> !process 0 0 csrss.exe > PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid: > 0170 > DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527. > Image: csrss.exe > > 0: kd> dps nt!KeServiceDescriptorTableShadow l8 > 808aeec0 8083fc4c nt!_KiServiceTable > 808aeec4 00000000 > 808aeec8 00000128 > 808aeecc 80803618 nt!KiArgumentTable > 808aeed0 bf9a2000 win32k!W32pServiceTable > 808aeed4 00000000 > 808aeed8 00000299 > 808aeedc bf9a2d08 win32k!W32pArgumentTable > > // Get the entries count "0x299" from the output above > 0: kd> dps win32k!W32pServiceTable l299 > > Hope this helps. > > Best regards, > Jeffrey Tan > Microsoft Online Community Support > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > ================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. >
From: "Jeffrey Tan[MSFT]" on 24 Apr 2008 05:32 Hi, Thanks for your feedback. Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to a GUI process context. I remember that I was told that we should switch to GUI process context to dump it. Anyway, I may remember incorrect. Csrss.exe is a GUI process. Yes, it seems that it does not link with user32.dll or gdi32.dll statically, however, it loads user32.dll, gdi32 in its process for using(may load it dynamically). You may use Process Explorer to examine csrss.exe process DLL View. As I know, Csrss.exe is responsible for painting the console windows on the screen, so it definitely needs to call GUI APIs. Thanks. Best regards, Jeffrey Tan Microsoft Online Community Support ========================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights.
|
Next
|
Last
Pages: 1 2 Prev: NtCreateProcess and fork Next: How to Hook ZwReadVirtualMemory and ZwWriteVirtualMemory |