Getting Function Address From Service Table.

OSR_Community_User · December 11, 2001, 11:10am

Hi

Does anyone know how get the function address from
system service table by ordinal.

MyFuncAddress = (SYSTEMSERVICE(ZwCreateFile)) //This
works fine under Win2000.
**say ordinal of ZwCreateFile = 0x20**
MyFuncAddress = (SYSTEMSERVICE(0x20)) //Getting blue
screen.

May be anyother way to get the function address ???

Please help.

Regards
Suja.

Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · December 12, 2001, 12:29pm

Hello,

It looks like you are using the macro without checking
what this macro does.

The macro expects an address of Zwxx wrapper (mov eax,
service id, lea edx, [esp+4], int 2eh…). The macro
extracts the service id from the wrapper code and then
indexes it into system service dispatch table and
ultimately expands into something like SSDT[service
id].

NOTE: The macro will work only if corresponding Zwxx
wrapper is exported by NTOSKRNL or else you will get
linking errors.

Passing 0x20 is obviously going to throw blue screen,
since it will expand into something like
SSDT[*(PULONG)(0x21)

If you know the ordinal, you will simply index into
SSDT to get the function pointer.

Hope this clarifies.
-Prasad

— SUJA JAMES wrote:
> Hi
>
> Does anyone know how get the function address from
> system service table by ordinal.
>
> MyFuncAddress = (SYSTEMSERVICE(ZwCreateFile)) //This
> works fine under Win2000.
> say ordinal of ZwCreateFile = 0x20
> MyFuncAddress = (SYSTEMSERVICE(0x20)) //Getting blue
> screen.
>
> May be anyother way to get the function address ???
>
> Please help.
>
> Regards
> Suja.
>
>
>
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

=====
Prasad S. Dabak
Chief Software Architect
Ensim India Private Limited
http://www.ensim.com
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com