J. J.:
You’re on the right track from an information standpoint.
Here are the basics of what you ask. For more complete details, head
to your local bookstore (in addition to the aforementioned book,
“Undocumented Windows NT” goes in to this is much more detail; it also
includes fairly complete code that would serve as a good paradigm for
what you are trying to do; however, I think that it is out of print, and
only goes up to W2K (as far as I know))).
PRE WIN2K3SP1:
Windows supports up to four service descriptor tables. The two you
mentioned (KeServiceDescriptorTable and KeServiceDescriptorTableShadow)
are mandatory. KeServiceDescriptorTable does what you think it does.
KeServiceDescriptorTableShadow was added in NT4 to allow for the kernel
mode implementation of the USER and GDI services (Win32K) formerly
provided as user mode subsystem based on LPC (CSRSS). [Strictly
speaking, even though 3.51 did not have Win32K, it did contain most of
the structures necessary to support it in future versions (i. e. -
KeServiceDescriptorTableShadow, et. c.).] The other two entries you
asked about are used to allow the addition of up to two additional
tables via KeAddSystemServiceTable. When a table is added, its values
are copied in to one of the slots in both KeServiceDescriptorTable and
KeServiceDescriptorTableShadow. Microsoft Internet Information Server’s
Spud Driver does this.
W2K3SP1+:
As quite correctly pointed out, this feature/security issue is the
basis for most malware. To prevent this manipulation the ability to add
service descriptor tables was removed (except for the case of Win2K),
and this is why there are now only two entries.
ON A PERSONAL NOTE:
I make no assumptions about your intentions, because:
(1) as I can not read minds, I do not know what they are;
(2) I do not care what they are, both because it is not my business and
it doesn’t affect me;
(3) while the dangers of methods such as this are very real, so are the
occasional situations which either require them or they have documented
alternatives that are unwieldly and/or crippled;
(4) as a general rule, everything on this list that taboo to ask about
was, minimally, at one time considered, while undocumented, acceptable.
In this particular case, Microsoft used to have articles pertaining to
this in the MSDN a long time ago; in fact, this security issue was once
marketed as a feature in official Microsoft publications (like Helen
Custer’s book); even the more recent version (albeit with a very
different purpose) (Russinovich) mentions much of this. Details to
follow below, but the basic answer to your question supports this - the
bytes missing in W2K3SP1 were removed as a result of removing the
support to add new system services tables, which was both a security
issue and as well as a feature.
(5) most of the verboten subject matter on this list, while very
complicated, is, from a realistic security standpoint, at this point in
time (NT + something like 15), pedestrian. In fact, this is a
requirement for a mechanism to be included on the do not discuss list.
Presumably, no one discloses anything really good.
Three pieces of Advice:
(1) Unless asked to provide information, don’t waste your time
appologizing/explaining what you intend to do with this information.
You’re going to get the same response, and it just generates a flood of
nonsense like what I’m writing here; on bad days, that would seem to be
the point of these lists.
(2) Try not to take the suspicion personally, or, for that matter,
seriously. In fact, turn about is fair play; that is, everyone on this
list has his or her own intentions, including myself, which you may or
may not trust. Many of this list’s members have very real constraints
on what they say, because it may impact them professionally in a variety
of ways. I don’t mean this in a sinster way; that’s just life.
(3) All of that being said, generally, the advice given regarding
security/stability issues is excellent for most cases.
MM
>> xxxxx@uiuc.edu 2006-06-21 14:29:25 >>>
I actually just happened to have noticed this while working on
a project involving hooking the Native API. I don’t know that
it particularly effects me since I will only be using the
first 2 entries anyways, but I thought it would be interesting
to find out since I have now read quite a bit about the
Service Tables and none seem to have referenced this
possibility (other than saying different versions have
different tables, subject to change during hotfixes etc.)
I had searched through the archives for info about this, but I
will give it another go with Peter’s keywords.
To be more specific with what I am doing, (so everyone doesn’t
think I just have malicious intentions) I am doing this
project sort of as a learning exercise to delve deeper into
understanding the Windows OS. The project is supposed to be
sort of an API monitor that will monitor what Native API
functions are called (by hooking in the service table.) And
then *possibly*, having some playback functionality. Obviously
there will be some dynamic structures passed to the
functions, however hopefully I will be able to pull enough
data from them to create new ones at playback time that will
result in a very similar function call.
I understand that this is not a proper way to do things, but
unless someone can suggest another way to hook all native API
calls, this is the option I have right now. If someone wants
to suggest an alternative, I am open to that as well.
I’m sure I will still get the “Don’t do this, it is not a very
good idea” response since I have read many threads along these
lines, but responses with useful information or even just
things to think about in such a project are greatly appreciated.
I also admit to being a complete beginner at Windows
internals, but I am trying to *learn*, not just get things
done. Therefore I value the responses where it is explained
what is very difficult about the idea, rather than just saying
“its too difficult, don’t try it.”
Thanks for the help,
J.J.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
