From: None on
Greeting,
I know how to dump IDT with !idt -a command in kernel debugger. But how can
I dump SSDT, e.g. KeServiceDescriptorTable which is located in ntoskrnl?

I think I can do it programmatically with an undocumented method
KeServiceDescriptorTable exported by NTOSKRNL. So my first question is,
would you write a code snippet for me to use KeServiceDescriptorTable to
dump the table?

My second question is how can I dump the table with kernel debugger?

Thanks


From: "Jeffrey Tan[MSFT]" on
Hi,

Yes, to dump SSDT programmatically, we may get the KeServiceDescriptorTable
variable exported by ntoskrnl.exe and parse the structure. I find my
original learning code snippet of dumping SSDT, however, I did not verify
it correctness yet, for your information:

#include "ntddk.h"

typedef struct _SSDT_Entry
{
unsigned int * ServiceDispatchTableBase;
unsigned int * ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char * ServiceParameterTableBase;
}SSDT_Entry;

__declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;

VOID OnUnload(IN PDRIVER_OBJECT theDriverObj)
{
DbgPrint("OnUnload called\n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING
theRegistryPath)
{
int i=0, ServiceHandlerAddr;
char ParamNum;
DbgPrint("DriverEntry called\n");
theDriverObj->DriverUnload = OnUnload;

DbgPrint("SSDT service number %d\n",
KeServiceDescriptorTable.NumberOfServices);
for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++)
{
ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i];
ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i];
DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i,
ServiceHandlerAddr, ParamNum);
}

return STATUS_SUCCESS;
}

To dump the SSDT in kernel debugger, it is pretty easy, do it like this:

0: kd> dps nt!KeServiceDescriptorTable l4
808aeee0 8083fc4c nt!_KiServiceTable
808aeee4 00000000
808aeee8 00000128
808aeeec 80803618 nt!KiArgumentTable

// Get the SSDT entries count "0x128" from the output above
0: kd> dps nt!_KiServiceTable l128
....
output
....

If you want to dump the Win32k.sys service table, you have to first switch
the process context to a GUI process. Like this:

0: kd> !process 0 0 csrss.exe
PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid: 0170
DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527.
Image: csrss.exe

0: kd> dps nt!KeServiceDescriptorTableShadow l8
808aeec0 8083fc4c nt!_KiServiceTable
808aeec4 00000000
808aeec8 00000128
808aeecc 80803618 nt!KiArgumentTable
808aeed0 bf9a2000 win32k!W32pServiceTable
808aeed4 00000000
808aeed8 00000299
808aeedc bf9a2d08 win32k!W32pArgumentTable

// Get the entries count "0x299" from the output above
0: kd> dps win32k!W32pServiceTable l299

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

From: None on
Thanks, but it's weird that my computer shows
kd> dps nt!KeServiceDescriptorTable L4
808a6380 89ca0ad8 nt!KiServiceTable
808a6384 00000000
808a6388 00000149
808a638c 896e1eb0

I have 0x149 services in KeServiceDescriptorTable but you have only 0x128

""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message
news:R3oX8EPpIHA.2252(a)TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Yes, to dump SSDT programmatically, we may get the
> KeServiceDescriptorTable
> variable exported by ntoskrnl.exe and parse the structure. I find my
> original learning code snippet of dumping SSDT, however, I did not verify
> it correctness yet, for your information:
>
> #include "ntddk.h"
>
> typedef struct _SSDT_Entry
> {
> unsigned int * ServiceDispatchTableBase;
> unsigned int * ServiceCounterTableBase;
> unsigned int NumberOfServices;
> unsigned char * ServiceParameterTableBase;
> }SSDT_Entry;
>
> __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
>
> VOID OnUnload(IN PDRIVER_OBJECT theDriverObj)
> {
> DbgPrint("OnUnload called\n");
> }
>
> NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING
> theRegistryPath)
> {
> int i=0, ServiceHandlerAddr;
> char ParamNum;
> DbgPrint("DriverEntry called\n");
> theDriverObj->DriverUnload = OnUnload;
>
> DbgPrint("SSDT service number %d\n",
> KeServiceDescriptorTable.NumberOfServices);
> for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++)
> {
> ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i];
> ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i];
> DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i,
> ServiceHandlerAddr, ParamNum);
> }
>
> return STATUS_SUCCESS;
> }
>
> To dump the SSDT in kernel debugger, it is pretty easy, do it like this:
>
> 0: kd> dps nt!KeServiceDescriptorTable l4
> 808aeee0 8083fc4c nt!_KiServiceTable
> 808aeee4 00000000
> 808aeee8 00000128
> 808aeeec 80803618 nt!KiArgumentTable
>
> // Get the SSDT entries count "0x128" from the output above
> 0: kd> dps nt!_KiServiceTable l128
> ...
> output
> ...
>
> If you want to dump the Win32k.sys service table, you have to first switch
> the process context to a GUI process. Like this:
>
> 0: kd> !process 0 0 csrss.exe
> PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid:
> 0170
> DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527.
> Image: csrss.exe
>
> 0: kd> dps nt!KeServiceDescriptorTableShadow l8
> 808aeec0 8083fc4c nt!_KiServiceTable
> 808aeec4 00000000
> 808aeec8 00000128
> 808aeecc 80803618 nt!KiArgumentTable
> 808aeed0 bf9a2000 win32k!W32pServiceTable
> 808aeed4 00000000
> 808aeed8 00000299
> 808aeedc bf9a2d08 win32k!W32pArgumentTable
>
> // Get the entries count "0x299" from the output above
> 0: kd> dps win32k!W32pServiceTable l299
>
> Hope this helps.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg(a)microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>


From: None on
1. Why do I need to "switch the process context to a GUI process"? I don't
think the GUI process is csrss.exe. I launched Depends Walker on csrss and
find it depends on ntdll.dll and csrsrv.dll. I think the GDI apis should be
in user32.dll or Gdi32.dll, and the corresponding kernel part is win32k.sys.
In addition, I find if I do not run your command "!process 0 0 csrss.exe",
I'm still able to get the same output:
> 808aeec0 8083fc4c nt!_KiServiceTable
> 808aeec4 00000000
> 808aeec8 00000128
> 808aeecc 80803618 nt!KiArgumentTable
> 808aeed0 bf9a2000 win32k!W32pServiceTable
> 808aeed4 00000000
> 808aeed8 00000299
> 808aeedc bf9a2d08 win32k!W32pArgumentTable

2. Why can't I see a variable "KeServiceDescriptorTableShadow" exported from
win32k.sys like KeServiceDescriptorTable variable exported from
ntoskrnl.exe?

""Jeffrey Tan[MSFT]"" <jetan(a)online.microsoft.com> wrote in message
news:R3oX8EPpIHA.2252(a)TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Yes, to dump SSDT programmatically, we may get the
> KeServiceDescriptorTable
> variable exported by ntoskrnl.exe and parse the structure. I find my
> original learning code snippet of dumping SSDT, however, I did not verify
> it correctness yet, for your information:
>
> #include "ntddk.h"
>
> typedef struct _SSDT_Entry
> {
> unsigned int * ServiceDispatchTableBase;
> unsigned int * ServiceCounterTableBase;
> unsigned int NumberOfServices;
> unsigned char * ServiceParameterTableBase;
> }SSDT_Entry;
>
> __declspec(dllimport) SSDT_Entry KeServiceDescriptorTable;
>
> VOID OnUnload(IN PDRIVER_OBJECT theDriverObj)
> {
> DbgPrint("OnUnload called\n");
> }
>
> NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObj, IN PUNICODE_STRING
> theRegistryPath)
> {
> int i=0, ServiceHandlerAddr;
> char ParamNum;
> DbgPrint("DriverEntry called\n");
> theDriverObj->DriverUnload = OnUnload;
>
> DbgPrint("SSDT service number %d\n",
> KeServiceDescriptorTable.NumberOfServices);
> for(i=0;i<KeServiceDescriptorTable.NumberOfServices;i++)
> {
> ServiceHandlerAddr = KeServiceDescriptorTable.ServiceDispatchTableBase[i];
> ParamNum = KeServiceDescriptorTable.ServiceParameterTableBase[i];
> DbgPrint("Index %d: Handler 0x%08X, Param number %d\n", i,
> ServiceHandlerAddr, ParamNum);
> }
>
> return STATUS_SUCCESS;
> }
>
> To dump the SSDT in kernel debugger, it is pretty easy, do it like this:
>
> 0: kd> dps nt!KeServiceDescriptorTable l4
> 808aeee0 8083fc4c nt!_KiServiceTable
> 808aeee4 00000000
> 808aeee8 00000128
> 808aeeec 80803618 nt!KiArgumentTable
>
> // Get the SSDT entries count "0x128" from the output above
> 0: kd> dps nt!_KiServiceTable l128
> ...
> output
> ...
>
> If you want to dump the Win32k.sys service table, you have to first switch
> the process context to a GUI process. Like this:
>
> 0: kd> !process 0 0 csrss.exe
> PROCESS 82553020 SessionId: 0 Cid: 01a8 Peb: 7ffdd000 ParentCid:
> 0170
> DirBase: 1b652000 ObjectTable: e14fdeb8 HandleCount: 527.
> Image: csrss.exe
>
> 0: kd> dps nt!KeServiceDescriptorTableShadow l8
> 808aeec0 8083fc4c nt!_KiServiceTable
> 808aeec4 00000000
> 808aeec8 00000128
> 808aeecc 80803618 nt!KiArgumentTable
> 808aeed0 bf9a2000 win32k!W32pServiceTable
> 808aeed4 00000000
> 808aeed8 00000299
> 808aeedc bf9a2d08 win32k!W32pArgumentTable
>
> // Get the entries count "0x299" from the output above
> 0: kd> dps win32k!W32pServiceTable l299
>
> Hope this helps.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg(a)microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>


From: "Jeffrey Tan[MSFT]" on
Hi,

Thanks for your feedback.

Oh, yes, it seems that I can dump the Win32k.sys SSDT without switching to
a GUI process context. I remember that I was told that we should switch to
GUI process context to dump it. Anyway, I may remember incorrect.

Csrss.exe is a GUI process. Yes, it seems that it does not link with
user32.dll or gdi32.dll statically, however, it loads user32.dll, gdi32 in
its process for using(may load it dynamically). You may use Process
Explorer to examine csrss.exe process DLL View. As I know, Csrss.exe is
responsible for painting the console windows on the screen, so it
definitely needs to call GUI APIs.

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.