Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

Upcoming OSR Seminars:
WDM Lab, Seattle, WA 16 August 2010
WDF Lab, Santa Clara, CA 27 September 2010
Debug Lab, Portland, OR 18 October 2010
Windows Internals & Software Drivers Lab, Santa Clara, CA 15 November 2010


Go Back   OSR Online Lists > ntdev
link System service dispatcher
Welcome, Guest
You must login to post to this list
  Message 1 of 9  
06 Dec 01 12:40
ntdev member 7170
xxxxxx@cfl.rr.com
Join Date:
Posts To This List: 11
System service dispatcher
I'm reading the book "Undocumented Windows NT", and the description of the system service dispatcher has me a bit confused. According to the book, the TEB points to a service descriptor table. The service descriptor table points to the SSDT, which is an array of function pointers for each service. A non gui thread's TEB points to the default descriptor table, KeServiceDescriptorTable, which points to the default SSDT, which contains entries 0x0 to 0xD2 for the normal kernel services. A gui thread's TEB points to KeServiceDesctriptorTableShadow, which points to a shadow SSDT which contains the entries for the win32k calls, with service IDs 0x1000 to 0x120A. I'm confused because this seems to indicate that the shadow SSDT contains entries 0x0 through 0x120A, where entries 0xD3 through 0x999 are unused slots. It does not make sense to me that there would be a bunch of unused slots in the SSDT. It would make much more sense if instead the descriptor table pointed to one SSDT with 0x0 to 0xD2, and a second SSDT with services 0x1000 to 0x120A, but this does not seem to be the case according to the book. Can someone clear up this picture for me? --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 2 of 9  
06 Dec 01 16:51
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 2475
List Moderator
Re: System service dispatcher
"Phillip Susi" <xxxxx@cfl.rr.com> wrote in message news:20626@ntdev... > > with services 0x1000 to 0x120A, but this does not seem to be the case > according to the book. Can someone clear up this picture for me? > I'll try: The base table has the native NT system services in it. The shadow table has the native NT system services in it, plus the Win32 system service APIs in it. The net affect is that the native NT APIs are available to both Win32 and native programs, but Win32K calls are only available to Win32 programs. (To be honest, I never did "get" this shadow table thing either. I'm sure there some reason for it that I'm overlooking... either now or at least historically. But I never did know what that reason is.) Peter OSR --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 3 of 9  
06 Dec 01 19:13
ntdev member 7170
xxxxxx@cfl.rr.com
Join Date:
Posts To This List: 11
Re: System service dispatcher
That seems to be what the book is saying, but if the win32 services don't start until 0x1000, what are all of the unused slots from the end of the native services to 0x1000 doing? At 04:48 PM 12/6/2001 -0500, you wrote: >"Phillip Susi" <xxxxx@cfl.rr.com> wrote in message news:20626@ntdev... > > > > with services 0x1000 to 0x120A, but this does not seem to be the case > > according to the book. Can someone clear up this picture for me? > > > >I'll try: The base table has the native NT system services in it. The >shadow table has the native NT system services in it, plus the Win32 system >service APIs in it. The net affect is that the native NT APIs are available <...excess quoted lines suppressed...> --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 4 of 9  
06 Dec 01 20:22
wParam
xxxxxx@vt.edu
Join Date: 15 Nov 2001
Posts To This List: 16
Re: System service dispatcher
I think that the "thousands" digit is used to index into an array of tables, so that when it sees 1001 it uses the second entry in the second table. (Which is in the win32 range.) I think the shadow table is just the one used for win32 processes. So what we end up with is this: DispatchTable: ->Kernel ones empty empty empty Shadow table -> native routines -> win32k routines -> empty -> empty I think. I could be wrong, I can't find the reference for where I heard this information. So when you make the first win32 call, you are switched to the shadow table. Then the ones above 0x1000 become available. -brian ----- Original Message ----- From: "Phillip Susi" <xxxxx@cfl.rr.com> To: "NT Developers Interest List" <xxxxx@lists.osr.com> Sent: Thursday, December 06, 2001 7:05 PM Subject: [ntdev] Re: System service dispatcher > That seems to be what the book is saying, but if the win32 services don't > start until 0x1000, what are all of the unused slots from the end of the > native services to 0x1000 doing? > > At 04:48 PM 12/6/2001 -0500, you wrote: > > >"Phillip Susi" <xxxxx@cfl.rr.com> wrote in message news:20626@ntdev... > > > <...excess quoted lines suppressed...> system > >service APIs in it. The net affect is that the native NT APIs are available > >to both Win32 and native programs, but Win32K calls are only available to > >Win32 programs. > > > >(To be honest, I never did "get" this shadow table thing either. I'm sure > >there some reason for it that I'm overlooking... either now or at least > >historically. But I never did know what that reason is.) > > > >Peter > >OSR > > > --- > You are currently subscribed to ntdev as: xxxxx@vt.edu > To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 5 of 9  
06 Dec 01 23:48
ntdev member 958
xxxxxx@yahoo.com
Join Date:
Posts To This List: 65
Re: System service dispatcher
It looks like the shadow table came into existence only during Winnt4.0 to accomodate GDI/User calls in Kernel. So as long as a thread is not using any GUI call it will pt to only the base table and on making a GUI call it points to the shadow table. IIRC this is meant as a optimization, but not sure how. -Sajeev. --- Argus <xxxxx@vt.edu> wrote: > I think that the "thousands" digit is used to > index into an array of > tables, so that when it sees 1001 it uses the second > entry in the second > table. (Which is in the win32 range.) I think the > shadow table is just the > one used for win32 processes. So what we end up > with is this: > > > > > > --- <...excess quoted lines suppressed...> leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com ________________________________________________________________________ For Stock Quotes, Finance News, Insurance, Tax Planners, Mutual Funds... Visit http://in.finance.yahoo.com/ --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 6 of 9  
07 Dec 01 01:41
ntdev member 401
xxxxxx@yahoo.com
Join Date:
Posts To This List: 51
Re: System service dispatcher
Hello, It looks like there is some confusion on this topic. Let me provide some details, which will probably clear up the confusion. The KeServiceDescriptorTable and KeServiceDescriptorTableShadow are 4 element array of structures. The structure defination for each array element is as follows. typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; //SSDT unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; //SSPT } ServiceDescriptorTableEntry_t When NTOSKNRL.EXE is loaded, only first element of this array (KeServiceDescriptorTable and KeServiceDescriptorTableShadow) in filled and points to SSDT and SSPT for kernel services (Ntxx functions from NTOSKRNL.EXE). Rest of the 3 elements in both the arrays are empty. When Win32K.sys driver is loaded, it calls a function called KeAddSystemServiceTable from NTOSKRNL.EXE passing it the SSDT and SSPT for Win32k.sys services. This function fills the second element in KeServiceDescriptorTableShadow array. The KeServiceDescriptorTable still contains only one element. The system call handler (int 2eh) handle is written in such a way that the, the 12th and 13th (0 based index) bit of the system service decides the array index which will be used for dispatching the service through correponding SSDT. Hence, system services starting from 0 will end up using SSDT structure pointed by first array element, system services starting with 0x1000 will end up using SSDT structure pointed by second array element, serivces starting 0x2000 will end up in third array element and 0x3000 will end up in fourth array element. int 2eh handler while dispatching the service also subtract the base service id (correponding to the array index used) from the service id passed in EAX register and then indexes in SSDT. e.g. even though win32k.sys services are say from 0x1000 to 0x120A, the SSDT only contains 0x20A entries. There are no empty slots in SSDT or SSPT. Starting IIS 4.0, Microsoft has added a kernel mode support driver (SPUD.SYS). This driver also calls KeAddSystemServiceTable function to add its own system services. This fills an entry in third array element of KeServiceDescriptorTableShadow. Hence, its services will start from 0x3000. In any case, KeServiceDescriptorTable array contains only 1 element. KeServiceDescriptorTableShadow will contain at least 2 elements and 3 elements if IIS >= 4.0 is installed. Now, let us see how KeServiceDescriptorTable and KeServiceDescriptorTableShadow are used. Every thread which begins its execution has its TEB pointing to KeServiceDescriptorTable. When any system call is made with a service id > 0x1000, system (PsConvertToGuiThread) allocates a block of memory of sizeof(KeServiceDescriptorTableShadow), copies KeServiceDescriptorTableShadow array to this memory block and changes the TEB to point to this. Note: In later service packs of NT 4.0 (i don't recall exact service pack) and in Windows 2000, this copying is avoided and only TEB is changed to point to KeServiceDescriptorTableShadow. Once this is done, int 2eh starts using KeServiceDescriptorTableShadow for dispatching the system service. This is the reason, when you add new system services, it is essential to update both of these tables, otherwise newly added services are visible only for console applications and not to GUI applications. Please let me know if there is still any confusion. Thanks. -Prasad > sajeev sas <xxxxx@yahoo.com> wrote: > It looks like the shadow table came into existence > only during Winnt4.0 to accomodate GDI/User calls in > Kernel. So as long as a thread is not using any GUI > call it will pt to only the base table and on making > a > GUI call it points to the shadow table. IIRC this is <...excess quoted lines suppressed...> ________________________________________________________________________ > For Stock Quotes, Finance News, Insurance, Tax > Planners, Mutual Funds... > Visit http://in.finance.yahoo.com/ > > --- > You are currently subscribed to ntdev as: > xxxxx@yahoo.com > To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com ===== Prasad S. Dabak Chief Software Architect Ensim India Private Limited http://www.ensim.com Co-author of the book "Undocumented Windows NT" ISBN 0764545698 __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 7 of 9  
07 Dec 01 05:07
ntdev member 542
xxxxxx@storagecraft.com
Join Date:
Posts To This List: 2446
Re: System service dispatcher
> Starting IIS 4.0, Microsoft has added a kernel mode > support driver (SPUD.SYS). This driver also calls > KeAddSystemServiceTable function to add its own system BTW - maybe somebody knows the purpose of SPUD.SYS? Some security-related stuff? Max --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 8 of 9  
07 Dec 01 05:59
ntdev member 401
xxxxxx@yahoo.com
Join Date:
Posts To This List: 51
Re: System service dispatcher
Hello, I have done some research on this in the past. But don't recall the details. But I am pretty sure that its not for security related stuff. I believe that its mainly for improving network requests processing. It uses some afd.sys interfaces along with io completion ports to speed up this process. I recall, inetinfo.exe creates an IO completion port and passes the handle to SPUD.SYS. -Prasad --- "Maxim S. Shatskih" <xxxxx@storagecraft.com> wrote: > > Starting IIS 4.0, Microsoft has added a kernel > mode > > support driver (SPUD.SYS). This driver also calls > > KeAddSystemServiceTable function to add its own > system > > BTW - maybe somebody knows the purpose of SPUD.SYS? > Some security-related stuff? > > Max <...excess quoted lines suppressed...> leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 9 of 9  
07 Dec 01 15:31
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 2475
List Moderator
Re: System service dispatcher
"Prasad Dabak" <xxxxx@yahoo.com> wrote in message news:20684@ntdev... > Thanks for posting your long explanation. But it still doesn't address the subject of WHY there's a shadow table. What purpose is it supposed to serve? Peter --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 13:45.

Contact Us - Osr Online Homepage - Top

Copyright ©2005, OSR Open Systems Resourcs, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license