BSOD Woes while attempting SDT access

NTDEV
1

Hi folks,
I’ve started work on a new project and I’m trying to dump the Service
Descriptor Table. I’m writing an assembly driver (for various reasons which
aren’t important) and have made some progress. I’ve used
KeServiceDescriptorTable to get a ref to the sdt but any time I go to read
the sdt (even one dword) I get bsod. I’ve tried to read from the virtual
memory and the physical memory but have not been able to avoid a complete
system crash. I found a thread on sysinternal board that had similar code to
mine and allowed me to fix some errors but if I don’t understand why my code
crashes there’s not much point in my continuing so I’ll post my code and
hope someone can venture a reason why the code crashes and what I can do to
make the code safe for execution.

;sdtMem is local variable
;reseteax is macro that resets eax to value in sdtMem

mov eax, KeServiceDescriptorTable
mov eax, DWORD PTR [eax]
mov sdtMem, eax
invoke MmIsAddressValid, eax
invoke DbgPrint,$CTA0(“Is address valid? %d\n”),eax
resetEax
invoke MmGetPhysicalAddress,eax
;mov ebx, [eax] ;Crashes with BSOD when attempting to read value at physical
address translated from virtual address
resetEax
mov ebx, [eax] ;Crashes with BSOD (PAGE_FAULT_IN_NON_PAGED_AREA) when
attempting to read value at virtual address
invoke DbgPrint,$CTA0(“First entry read from physical memory: 0x%x\n”),ebx

So I can’t touch the sdt, anytime I go near it I’m crashing the system. I
have some thoughts about why this may be happening and I have softice
running in the bg to analyze as much as possible but I’m still at a loss. If
anyone can point out my errors or maybe answer some of my general questions
that follow I’d be very appreciative. Firstly I would assume that the sdt’s
memory page is marked non pageable? But is it also marked non readable?
(That doesn’t make any sense to me.) Should I disable interrupts before
attempting sdt access? Does the sdt need to be remapped into another area of
memory? (Again makes no sense to me) I’m running p4 with ht, I think I read
that multiple processors contain their own copy of the sdt but I can’t
remember where I read this so can’t confirm. I’ve ordered a book on
undocumented nt internals but it’ll be a week or so before it arrives, can
anyone fill me in in the mean time?

Thanks,
Cathal

2

CATHAL:

  1. You can’t directly read from a physical address with paging
    enabled.
  2. KeServiceDescriptorTable contains the offset of the SSDT, so I
    don’t think that you want:

mov eax, KeServiceDescriptorTable
mov eax, DWORD PTR [eax]
mov sdtMem, eax

rather:

mov eax, KeServiceDescriptorTable
mov sdtmem, eax

Try getting the value of KeServiceDescriptorTable using your debugger
and hard coding it and see what happens:

(WinDbg): x nt!KeServiceDescriptorTable
(SoftICE): SYM nt!KeServiceDescriptorTable

MM

>> xxxxx@gmail.com 2006-07-30 13:25 >>>
Hi folks,
I’ve started work on a new project and I’m trying to dump the
Service
Descriptor Table. I’m writing an assembly driver (for various reasons
which
aren’t important) and have made some progress. I’ve used
KeServiceDescriptorTable to get a ref to the sdt but any time I go to
read
the sdt (even one dword) I get bsod. I’ve tried to read from the
virtual
memory and the physical memory but have not been able to avoid a
complete
system crash. I found a thread on sysinternal board that had similar
code to
mine and allowed me to fix some errors but if I don’t understand why my
code
crashes there’s not much point in my continuing so I’ll post my code
and
hope someone can venture a reason why the code crashes and what I can
do to
make the code safe for execution.

;sdtMem is local variable
;reseteax is macro that resets eax to value in sdtMem

mov eax, KeServiceDescriptorTable
mov eax, DWORD PTR [eax]
mov sdtMem, eax
invoke MmIsAddressValid, eax
invoke DbgPrint,$CTA0(“Is address valid? %d\n”),eax
resetEax
invoke MmGetPhysicalAddress,eax
;mov ebx, [eax] ;Crashes with BSOD when attempting to read value at
physical
address translated from virtual address
resetEax
mov ebx, [eax] ;Crashes with BSOD (PAGE_FAULT_IN_NON_PAGED_AREA) when
attempting to read value at virtual address
invoke DbgPrint,$CTA0(“First entry read from physical memory:
0x%x\n”),ebx

So I can’t touch the sdt, anytime I go near it I’m crashing the system.
I
have some thoughts about why this may be happening and I have softice
running in the bg to analyze as much as possible but I’m still at a
loss. If
anyone can point out my errors or maybe answer some of my general
questions
that follow I’d be very appreciative. Firstly I would assume that the
sdt’s
memory page is marked non pageable? But is it also marked non
readable?
(That doesn’t make any sense to me.) Should I disable interrupts
before
attempting sdt access? Does the sdt need to be remapped into another
area of
memory? (Again makes no sense to me) I’m running p4 with ht, I think I
read
that multiple processors contain their own copy of the sdt but I can’t
remember where I read this so can’t confirm. I’ve ordered a book on
undocumented nt internals but it’ll be a week or so before it arrives,
can
anyone fill me in in the mean time?

Thanks,
Cathal

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer