cziter15
Newbie cheater
![]() Reputation: 0
Joined: 24 May 2009
Posts: 10
|
 Posted: Tue Apr 27, 2010 5:36 pm Post subject: [SOURCE] Find SSDT on x64 version of Windows |
 |
|
In Microsoft Windows 2003 SP1 64 bit Microsoft Corporation has introduced new protection mechanism called PatchGuard. By this way, they removed exported entry KeServiceDescriptor table to prevent developers from editing them.
I made quick research about finding this table and here is it:
| Code: | ULONGLONG GetKeServiceDescriptorTable64()
{
//Pattern
char KiSystemServiceStart_pattern[13] = "\x8B\xF8\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F\x00\x00";
//Scan boundaries
ULONGLONG CodeScanStart = (ULONGLONG)&_strnicmp;
ULONGLONG CodeScanEnd = (ULONGLONG)&KdDebuggerNotPresent;
//Another needed variables
UNICODE_STRING Symbol;
ULONGLONG i, tbl_address, b;
//Loop - to find the KiSystemServiceStart function
for (i = 0; i < CodeScanEnd - CodeScanStart; i++)
{
//Check if those bytes are equal to our pattern-bytes
if (!memcmp((char*)(ULONGLONG)CodeScanStart +i, (char*)KiSystemServiceStart_pattern,13))
{
//Search lea rdx, * - by opcodes: 4c 8d
for (b = 0; b < 50; b++)
{
tbl_address = ((ULONGLONG)CodeScanStart+i+b);
//Check for lea rdx, * and calculate base address from relative address
if (*(USHORT*) ((ULONGLONG)tbl_address ) == (USHORT)0x8d4c)
return ((LONGLONG)tbl_address +7) + *(LONG*)(tbl_address +3);
}
}
}
return 0;
} |
More info (in Polish) can be found here: rev3rsed.blogspot. com
Regards, Chris
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
