Drivers Hooking Ssdt Tutorial
. Programming drivers to perform ssdt hooking.
Drivers hooking SSDT; drivers hooking. The goal of the reader is to perform the the below points while following the tutorial. KernelMode Rootkits: Part 1, SSDT hooks. In this tutorial, we’ll take a look. Loading drivers in the kernel address space. 2 responses to “API Hooking and DLL Injection on Windows”.
Ssdt Tutorial Parameterized Report
Welcome to MPGH - MultiPlayer Game Hacking, the world's leader in Game Hacks, Game Cheats, Trainers, and cheats and trainers for many other multiplayer games. With several hundred thousand FREE hacks, cheats and bots, over 4 million members strong, a free and open and a great community, what else is there to ask for? Now for full benefits of our site, it's completely FREE to join:.
Access to our large gaming community with millions of discussions to participate in. Free access to tutorials, resources, information, tools, trainers, cheats and hacks. Interact with our great community, and make new friends with our members. Active marketplace for gamers and people like you, with thousands of contributors and over half a million posts.
Let your voice be heard! You can post, reply, and share whatever is on your mind. Ads are removed, almost completely ad free browsing. If you are having any issues, shoot us an email,. As always, have fun and enjoy your stay!
- MPGH Staff.
Introduction In this article we’ll present how we can hook the System Service Dispatch Table, but first we have to establish what the SSDT actually is and how it is used by the operating system. In order to understand how and why the SSDT table is used, we must first talk about system calls. We know two ways that a system call can be invoked:. int 0x2e instruction: used mainly in older versions of Windows operating systems, where the system call number is stored in the eax register, which is then called in the kernel.
sysenter instruction: the sysenter instruction uses the MSRs in order to quickly call into the kernel and is mainly used in newer versions of Windows. Ethical Hacking Training – Resources (InfoSec) The SSDT table holds the pointer to kernel functions, which are used upon system call invocation either by “int 0x2e” or sysenter instructions. The value stored in register eax is a system call number, which will be invoked in the kernel. On the picture below we can see that sysenter is called in ntdll.dll library and the system call number 0x25 will be called. When calling the system call routine, the system call number is stored in the eax register, which is 32-bit value. But how is that number then used?
It can’t be an index into a table of pointers, because if 32-bits were used as an index, it would mean the table is 4GB large, which is certainly not so. With a little bit of research we can find our that the system service number is broken up unto three parts:. bits 0-11: the system service number (SSN) to be invoked. bits 12-13: the service descriptor table (SDT). bits 14-31: not used.
Only the lower 12-bits are used as an index into the table, which means the table is 4096 bytes in size. The upper 18-bits are not used and the middle 2-bits are used to select the appropriate service descriptor table – therefore we can have a maximum of 4 system descriptor tables (SDT). In Windows operating systems, only two tables are used and they are called KeServiceDescriptorTable (middle bits set to 0x00) and KeServiceDescriptorTableShadow (middle bits set to 0x01). This means that the value in the EAX register, which is the system service number, can hold the following values (presenting the 16-bit values):.
0000xxxx xxxxxxxx: used by KeServiceDescriptorTable, where the x’s can be 0 or 1, which further implies that the first table is used if the system service numbers are from 0×0 – 0xFFF. 0001yyyy yyyyyyyy: used by KeServiceDescriptorTableShadow, where y’s can be 0 or 1, which further implies that the second table is used if the system service numbers are from 0×1000 – 0x1FFF. This means that the system service numbers in the EAX register can only be in the range of 0×0000 – 0x1FFFF, and all other values are invalid. We can dump all the symbols which start with KeServiceDescriptor by using the “x nt!KeServiceDescriptor. ” command in WinDbg. The result of running that command can be seen below.
Note that the KeServiceDescriptorTable is exported by the ntoskrnl.exe, while the KeServiceDescriptorTableShadow is not exported. Both Service Descriptor Tables (SDTs) contain a structure called System Service Table (SST), which have a structure like presented below 2.
Every System Service Table (SST) contains the following fields:. ServiceTable: points to an array of virtual addresses – the SSDT (System Service Dispatch Table), where each entry further points to a kernel routine. CounterTable: not used. ServiceLimit: number of entries in the SSDT table. ArgumentTable: points to an array of bytes – the SSDP (System Service Parameter Table), where each byte represents the number of bytes allocated for function arguments for corresponding with each SSDT routine. Let’s present an overwrite of the process with a picture below, where we can see that “int 0x2e” as well as the sysenter instruction execute a system call based upon the SSN stored in the eax register.
The Service Descriptor Table Number (SDTN) points to one of the 4 SDT tables, where only the first two are actually used and point to the SST. The KeServiceDescriptorTable points to one SST, which further points to the SSDT table. The KeServiceDescriptorTableShadow points to two SSTs where the first one points to the same SSDT table and the second one point to a secondary SSDT table. Let’s now look at the whole process from a practical point of view and actually present all the previously described stuff on an actual Windows operating system. We’re already presented the KeServiceDescriptorTable and KeServiceDescriptorTableShadow, so we must now display the SST fields of the KeServiceDescriptorTable as well as the KeServiceDescriptorTableShadow, which we can do with the dps command as presented below. Notice that the first 4 bytes contain a pointer to the SSDT table KiServiceTable, while the last 4 bytes contain the pointer to the argument table KiArgumentTable. To summarize the values above, let’s present all fields of:.
Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering.
He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD.
He also has his own blog available here:. Free Training Tools. Editors Choice. Related Boot Camps.
More Posts by Author. 3 responses to “Hooking the System Service Dispatch Table (SSDT)”.