Kernel mode device driver problem - KeServiceDescriptorTable

OSR_Community_User · November 14, 2001, 4:17pm

I have an app and driver that works on NT4 through Windows 2000 SP2 that
fails on Windows XP. In user mode we would call GetProcAddress as
follows:

BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG ntParams);
HMODULE hNtDll;
FARPROC pFunc;

if (hNtDll = LoadLibrary("NTDLL.DLL"))
{
if ((pFunc = GetProcAddress(hNtDll,"ZwCreateProcess")) == NULL
||

!GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
&pInitBlock->CreateProcessHookBlock.ParamCount))
{
FreeLibrary(hNtDll);
return 0;
}
}

This would get the address of the function in ntdll, we would then
extract the service id and number of bytes required for the parameters
using the below function:

static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
ntParams)
{
#pragma pack(1)
typedef struct _NTFUNC_BLOCK
{
UCHAR moveeax;
ULONG thunkCode;
UCHAR stuff[4];
UCHAR insint;
UCHAR vector;
UCHAR insret;
USHORT params;
}
* PNTFUNC_BLOCK;
PNTFUNC_BLOCK pNtFunc;
#pragma pack()

pNtFunc = (PNTFUNC_BLOCK) funcPtr;
if (pNtFunc->moveeax != 0xb8)
return FALSE;
if (pNtFunc->insint != 0xcd)
return FALSE;
if (pNtFunc->vector != 0x2e)
return FALSE;
if (pNtFunc->insret != 0xc2)
return FALSE;
ntCode = pNtFunc->thunkCode;
ntParams = pNtFunc->params/sizeof(ULONG);
return TRUE;
}

The problem is that the function no longer returns the information the
same way that it used to. We would then pass this information
(thunkCode and number of params) to the driver which would hook into the
KeServiceDescriptorTable replacing the real CreateProcess function with
our own.

Also, when I try to write to the KeServiceDescriptorTable at any
serviceID, the driver immediately crashes. Did XP change the memory
protection of the KeServiceDescriptorTable?

In short, the address that we get back from GetProcAddress no longer has
the same format - does anyone know the new format? If I can find the
correct ServiceID for the KeServiceDescriptorTable, can I still replace
the old address with a new one, or is it protected memory now?

Thanks,
Jeremy

You are currently subscribed to ntdev as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com

Kernel mode device driver problem - KeServiceDescriptorTable

!GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode, &pInitBlock->CreateProcessHookBlock.ParamCount)) { FreeLibrary(hNtDll); return 0; } }

This would get the address of the function in ntdll, we would then extract the service id and number of bytes required for the parameters using the below function:

pNtFunc = (PNTFUNC_BLOCK) funcPtr; if (pNtFunc->moveeax != 0xb8) return FALSE; if (pNtFunc->insint != 0xcd) return FALSE; if (pNtFunc->vector != 0x2e) return FALSE; if (pNtFunc->insret != 0xc2) return FALSE; *ntCode = pNtFunc->thunkCode; *ntParams = pNtFunc->params/sizeof(ULONG); return TRUE; }

!GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
&pInitBlock->CreateProcessHookBlock.ParamCount))
{
FreeLibrary(hNtDll);
return 0;
}
}

This would get the address of the function in ntdll, we would then
extract the service id and number of bytes required for the parameters
using the below function:

pNtFunc = (PNTFUNC_BLOCK) funcPtr;
if (pNtFunc->moveeax != 0xb8)
return FALSE;
if (pNtFunc->insint != 0xcd)
return FALSE;
if (pNtFunc->vector != 0x2e)
return FALSE;
if (pNtFunc->insret != 0xc2)
return FALSE;
ntCode = pNtFunc->thunkCode;
ntParams = pNtFunc->params/sizeof(ULONG);
return TRUE;
}