12 June 2012

KiServiceTable

KiServiceTable tak di export oleh kernel.

Cara nak dapatkannya ialah dari KeServiceDescriptorTable


typedef struct ServiceDescriptorTable {
    SDE ServiceDescriptor[4];
} SDT;

typedef struct ServiceDescriptorEntry {
    PDWORD KiServiceTable;
    PDWORD CounterTableBase;
    DWORD ServiceLimit;
    PBYTE ArgumentTable;
} SDE;



KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit  < size array KiServiceTable

ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)





ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf

No comments:

Post a Comment

Terima kasih