Hello,
I’m trying to develop a kernel driver to add a 3 or 4 SDT entry. All books or blog posts that I read about this topic describe the SDT like this:
I’m using the the function “KeAddSystemServiceTable”:
KeAddSystemServiceTable (
IN PULONG_PTR Base,
IN PULONG Count [OPTIONAL],
IN ULONG Limit,
IN PULONG Arguments,
IN ULONG Index)
I did not manage to add another entry. So I looked at the function in windbg and saw that it is no more capable to add additional SDT entries in Windows 7.
Is this correct and does the SDT still has 4 fields?
Is the a another finction to add SDT entries?
I’m still quite new in this area, can anyone give me a hint how i can revers the SDT struct (not how i revers a struct just e.g. which function i shoud look at)?
Support for multiple System Service Tables has changed, been added and removed, across versions of Windows since the initial release of Windows NT. In all that time, it’s never been documented.
OK, let me help: What is the overall goal you are trying to reach? What problem are you trying to solve. Adding your own System Service Table is unlikely to be the correct answer to ANYTHING you want to be doing. Seriously.
Let us help you do whatever it is you need to do the RIGHT way instead.
Hi,
I understand. I’m a student so my overall goal is education.
I have already noted that nearly everything I’m currently interested in is not documented and when I run my research the answers are mostly outdated. What leads me to the point. That I have to acquire the ability to work out these things by my own. So what I’m doing. I develop drivers which make small changes to the system too understand how things work.
So the overall problem I’m trying to solve is, close the gap between what I know and what is currently there. Currently I look at the system call mechanism (specifically SSDT, SDT etc.). In this context, I have hooked some service routines in the SSDT or added some service routines to the SSDT and ntdll etc… So in terms of driver development there is no concrete goal. it’s all about education and improving skills.
It is not only about adding something to SDT. Its more to understand why I can not add something to SDT and how I can answer this question by myself in future.
The syscall is just some assembler prolog/epilog code, calling the SSDT entry. The prolog sets up the kernel stack and things like EBP, the epilog deals with exception/APC handling (“exception handling done” and “APC done” paths).
It is not only about adding something to SDT. Its more to understand why I can not add something to
SDT and how I can answer this question by myself in future.
Because MS has implemented special counter-measures in the kernel to prevent this, which are especially evolved in Win10 and future Srv2016.
I *wish* you had started your question with this statement. Then I would have known not to bother answering you. I *personally* view the point of this list as helping practicing system software developers, not providing students with a shortcut to completing their homework assignments. Not everyone here agrees with my view, and hence… we get student questions quite a bit.
But be that as it may…
[quote]
Its more to understand why I can
not add something to SDT and how I can answer this question by myself in future.
[quote]
When NT was first written the ability to add system services was one of the two ways that third parties could extend the operating system. The other way was via the interface provided by the I/O Manager (that is, by writing a driver).
You can’t add an additional system service descriptor table because the code in Windows prohibits it. It’s basically an outdated feature. It was a feature that was created in a “more naive time”… before security was a major concern (believe it or not, there WAS such a time)… to facilitate some specific features of (then) Windows NT. Those issues were how to dynamically add OS Emulation Subsystems without changing the underlying Executive/Kernel/HAL.
I’m not going to lock this thread (yet), in case anybody else wishes to share some wisdom.