System service dispatcher

I’m reading the book “Undocumented Windows NT”, and the description of the
system service dispatcher has me a bit confused. According to the book,
the TEB points to a service descriptor table. The service descriptor table
points to the SSDT, which is an array of function pointers for each
service. A non gui thread’s TEB points to the default descriptor table,
KeServiceDescriptorTable, which points to the default SSDT, which contains
entries 0x0 to 0xD2 for the normal kernel services. A gui thread’s TEB
points to KeServiceDesctriptorTableShadow, which points to a shadow SSDT
which contains the entries for the win32k calls, with service IDs 0x1000 to
0x120A. I’m confused because this seems to indicate that the shadow SSDT
contains entries 0x0 through 0x120A, where entries 0xD3 through 0x999 are
unused slots. It does not make sense to me that there would be a bunch of
unused slots in the SSDT. It would make much more sense if instead the
descriptor table pointed to one SSDT with 0x0 to 0xD2, and a second SSDT
with services 0x1000 to 0x120A, but this does not seem to be the case
according to the book. Can someone clear up this picture for me?

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

“Phillip Susi” wrote in message news:xxxxx@ntdev…
>
> with services 0x1000 to 0x120A, but this does not seem to be the case
> according to the book. Can someone clear up this picture for me?
>

I’ll try: The base table has the native NT system services in it. The
shadow table has the native NT system services in it, plus the Win32 system
service APIs in it. The net affect is that the native NT APIs are available
to both Win32 and native programs, but Win32K calls are only available to
Win32 programs.

(To be honest, I never did “get” this shadow table thing either. I’m sure
there some reason for it that I’m overlooking… either now or at least
historically. But I never did know what that reason is.)

Peter
OSR

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

That seems to be what the book is saying, but if the win32 services don’t
start until 0x1000, what are all of the unused slots from the end of the
native services to 0x1000 doing?

At 04:48 PM 12/6/2001 -0500, you wrote:

“Phillip Susi” wrote in message news:xxxxx@ntdev…
> >
> > with services 0x1000 to 0x120A, but this does not seem to be the case
> > according to the book. Can someone clear up this picture for me?
> >
>
>I’ll try: The base table has the native NT system services in it. The
>shadow table has the native NT system services in it, plus the Win32 system
>service APIs in it. The net affect is that the native NT APIs are available
>to both Win32 and native programs, but Win32K calls are only available to
>Win32 programs.
>
>(To be honest, I never did “get” this shadow table thing either. I’m sure
>there some reason for it that I’m overlooking… either now or at least
>historically. But I never did know what that reason is.)
>
>Peter
>OSR

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I think that the “thousands” digit is used to index into an array of
tables, so that when it sees 1001 it uses the second entry in the second
table. (Which is in the win32 range.) I think the shadow table is just the
one used for win32 processes. So what we end up with is this:

DispatchTable:
->Kernel ones
empty
empty
empty

Shadow table
-> native routines
-> win32k routines
-> empty
-> empty

I think. I could be wrong, I can’t find the reference for where I heard
this information.

So when you make the first win32 call, you are switched to the shadow table.
Then the ones above 0x1000 become available.

-brian
----- Original Message -----
From: “Phillip Susi”
To: “NT Developers Interest List”
Sent: Thursday, December 06, 2001 7:05 PM
Subject: [ntdev] Re: System service dispatcher

> That seems to be what the book is saying, but if the win32 services don’t
> start until 0x1000, what are all of the unused slots from the end of the
> native services to 0x1000 doing?
>
> At 04:48 PM 12/6/2001 -0500, you wrote:
>
> >“Phillip Susi” wrote in message news:xxxxx@ntdev…
> > >
> > > with services 0x1000 to 0x120A, but this does not seem to be the case
> > > according to the book. Can someone clear up this picture for me?
> > >
> >
> >I’ll try: The base table has the native NT system services in it. The
> >shadow table has the native NT system services in it, plus the Win32
system
> >service APIs in it. The net affect is that the native NT APIs are
available
> >to both Win32 and native programs, but Win32K calls are only available to
> >Win32 programs.
> >
> >(To be honest, I never did “get” this shadow table thing either. I’m
sure
> >there some reason for it that I’m overlooking… either now or at least
> >historically. But I never did know what that reason is.)
> >
> >Peter
> >OSR
>
>
> —
> You are currently subscribed to ntdev as: argus@vt.edu
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

It looks like the shadow table came into existence
only during Winnt4.0 to accomodate GDI/User calls in
Kernel. So as long as a thread is not using any GUI
call it will pt to only the base table and on making a
GUI call it points to the shadow table. IIRC this is
meant as a optimization, but not sure how.

-Sajeev.

— Argus wrote: > I think that
the “thousands” digit is used to
> index into an array of
> tables, so that when it sees 1001 it uses the second
> entry in the second
> table. (Which is in the win32 range.) I think the
> shadow table is just the
> one used for win32 processes. So what we end up
> with is this:
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> argus@vt.edu
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

________________________________________________________________________
For Stock Quotes, Finance News, Insurance, Tax Planners, Mutual Funds…
Visit http://in.finance.yahoo.com/

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello,

It looks like there is some confusion on this topic.
Let me provide some details, which will probably clear
up the confusion.

The KeServiceDescriptorTable and
KeServiceDescriptorTableShadow are 4 element array of
structures. The structure defination for each array
element is as follows.

typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase; //SSDT
unsigned int *ServiceCounterTableBase; //Used only in
checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase; //SSPT
} ServiceDescriptorTableEntry_t

When NTOSKNRL.EXE is loaded, only first element of
this array (KeServiceDescriptorTable and
KeServiceDescriptorTableShadow) in filled and points
to SSDT and SSPT for kernel services (Ntxx functions
from NTOSKRNL.EXE). Rest of the 3 elements in both the
arrays are empty.

When Win32K.sys driver is loaded, it calls a function
called KeAddSystemServiceTable from NTOSKRNL.EXE
passing it the SSDT and SSPT for Win32k.sys services.
This function fills the second element in
KeServiceDescriptorTableShadow array. The
KeServiceDescriptorTable still contains only one
element.

The system call handler (int 2eh) handle is written in
such a way that the, the 12th and 13th (0 based index)
bit of the system service decides the array index
which will be used for dispatching the service through
correponding SSDT. Hence, system services starting
from 0 will end up using SSDT structure pointed by
first array element, system services starting with
0x1000 will end up using SSDT structure pointed by
second array element, serivces starting 0x2000 will
end up in third array element and 0x3000 will end up
in fourth array element.

int 2eh handler while dispatching the service also
subtract the base service id (correponding to the
array index used) from the service id passed in EAX
register and then indexes in SSDT. e.g. even though
win32k.sys services are say from 0x1000 to 0x120A, the
SSDT only contains 0x20A entries. There are no empty
slots in SSDT or SSPT.

Starting IIS 4.0, Microsoft has added a kernel mode
support driver (SPUD.SYS). This driver also calls
KeAddSystemServiceTable function to add its own system
services. This fills an entry in third array element
of KeServiceDescriptorTableShadow. Hence, its services
will start from 0x3000.

In any case, KeServiceDescriptorTable array contains
only 1 element. KeServiceDescriptorTableShadow will
contain at least 2 elements and 3 elements if IIS >=
4.0 is installed.

Now, let us see how KeServiceDescriptorTable and
KeServiceDescriptorTableShadow are used. Every thread
which begins its execution has its TEB pointing to
KeServiceDescriptorTable. When any system call is made
with a service id > 0x1000, system
(PsConvertToGuiThread) allocates a block of memory of
sizeof(KeServiceDescriptorTableShadow), copies
KeServiceDescriptorTableShadow array to this memory
block and changes the TEB to point to this. Note: In
later service packs of NT 4.0 (i don’t recall exact
service pack) and in Windows 2000, this copying is
avoided and only TEB is changed to point to
KeServiceDescriptorTableShadow. Once this is done, int
2eh starts using KeServiceDescriptorTableShadow for
dispatching the system service.

This is the reason, when you add new system services,
it is essential to update both of these tables,
otherwise newly added services are visible only for
console applications and not to GUI applications.

Please let me know if there is still any confusion.

Thanks.
-Prasad

sajeev sas wrote:
> It looks like the shadow table came into existence
> only during Winnt4.0 to accomodate GDI/User calls in
> Kernel. So as long as a thread is not using any GUI
> call it will pt to only the base table and on making
> a
> GUI call it points to the shadow table. IIRC this is
> meant as a optimization, but not sure how.
>
> -Sajeev.
>
>
> — Argus wrote: > I think that
> the “thousands” digit is used to
> > index into an array of
> > tables, so that when it sees 1001 it uses the
> second
> > entry in the second
> > table. (Which is in the win32 range.) I think
> the
> > shadow table is just the
> > one used for win32 processes. So what we end up
> > with is this:
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > argus@vt.edu
> > > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
______________________
> For Stock Quotes, Finance News, Insurance, Tax
> Planners, Mutual Funds…
> Visit http://in.finance.yahoo.com/
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

=====
Prasad S. Dabak
Chief Software Architect
Ensim India Private Limited
http://www.ensim.com
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698


Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> Starting IIS 4.0, Microsoft has added a kernel mode

support driver (SPUD.SYS). This driver also calls
KeAddSystemServiceTable function to add its own system

BTW - maybe somebody knows the purpose of SPUD.SYS?
Some security-related stuff?

Max

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello,

I have done some research on this in the past. But
don’t recall the details.

But I am pretty sure that its not for security related
stuff.

I believe that its mainly for improving network
requests processing. It uses some afd.sys interfaces
along with io completion ports to speed up this
process. I recall, inetinfo.exe creates an IO
completion port and passes the handle to SPUD.SYS.

-Prasad

— “Maxim S. Shatskih”
wrote:
> > Starting IIS 4.0, Microsoft has added a kernel
> mode
> > support driver (SPUD.SYS). This driver also calls
> > KeAddSystemServiceTable function to add its own
> system
>
> BTW - maybe somebody knows the purpose of SPUD.SYS?
> Some security-related stuff?
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

“Prasad Dabak” wrote in message news:xxxxx@ntdev…
>
Thanks for posting your long explanation. But it still doesn’t address the
subject of WHY there’s a shadow table. What purpose is it supposed to
serve?

Peter

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com