Hi All,
My requirement is to read System service table content from disk copyof ntoskrnl.exe. (Please dont confuse I am not talking about KeServiceDescriptorTable. I am talking about tha address table where actual addresses of routines are stored.)
As this table is not exported I cant reach to it directly. For that i am using the vertual address of that table (ie. the address of table in loaded ntoskrnl, I reach to it using KeServiceDescriptorTable export, which I import in my driver).
I convert this vertual address to RVA and then to file offset and read the content.
Now, the problem is this method is not working on 2003 Enterprise server with PAE. I am not understanding the what goes rong.
Thanks & Regards,
Amit.
Why no one is replaying to this post?
Is not explanative? Is it not interesting? I know this is really a challange for people working on Antirootkit projects.
It is interesting. The problem I personally have is that I haven’t an
installation of 2003 Server Enterprise. I don’t know if this is the
reason no one else has replied, but 2K3 isn’t all that common as a
development platform, in my experience. The other reason is that you’re
basically asking other people to confirm your work, because you haven’t
provided anything else in the way of information. I realize that there
isn’t much else that you can provide, but no one probably really wants
to investigate this one without a need of his or her own.
Personally, I would handle this one with symbols, if that is at all an
option, because you the amount of work involved would be repaid many
times over, and you would almost certainly need access to truly private
symbols at some point. All it takes is an internet connection.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, September 05, 2007 01:55
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Problem on 2003 Enterprise server with PAE.
Why no one is replaying to this post?
Is not explanative? Is it not interesting? I know this is really a
challange for people working on Antirootkit projects.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
xxxxx@yahoo.com wrote:
Why no one is replaying to this post?
Is not explanative? Is it not interesting? I know this is really a challange for people working on Antirootkit projects.
Probably because most people have realized that “antirootkit projects”
are not practical. Whatever you can do, they can do better. They will
always be one step ahead. Once they have root access, you can’t trust
anything any more. The best you can hope for is detection, so that you
can wipe the machine and start over.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Actually I am using same logic as that of SSDT Restore 2.0.
You can download it by searching the google.com.
They had provided the source code.
But this is not working on 2003 std. server with PAE.
Please use this link for another method http://www.rootkit.com/newsread.php?newsid=176.
This is simple and more reliable but not giving desired result on 2003 std server with PAE.
Amit:
Have you tried this one any versions later then 2K3 or 64 bit builds? I
don’t think it (the rootkit.com method) will work on any of these
either. They’re all based on speculative disassembly, which is not very
high on the reliability scale, but sometimes that is your only option.
I don’t see why it is your only option here.
What does the disassembly of KiInitSystem look like for 2K3?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Thursday, September 06, 2007 00:24
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Problem on 2003 Enterprise server with PAE.
Actually I am using same logic as that of SSDT Restore 2.0.
You can download it by searching the google.com.
They had provided the source code.
But this is not working on 2003 std. server with PAE.
Please use this link for another method
http://www.rootkit.com/newsread.php?newsid=176.
This is simple and more reliable but not giving desired result on 2003
std server with PAE.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I got the root of problem…
I found there are tow different kernel files in system32 directory ie. NtOsKrnl.Exe and NtKrnlPa.Exe
The kernel booted was NtKrnlPa.Exe and I was searching in NtOsKrnl.Exe.