4,6 The Native API

The system service number is a 32-bit value (see Figure 4.13). The first 12

bits (bits 0 through 11) indicate which system service call will ultimately

be invoked. Bits 12 and 13 in this 32-bit value specify one of four possible

service descriptor tables.

ntdlLdll

INT 0X2E/SYSEHTER

System Service Number

ntoskml.exe/ntkrnlpa.exe

Ki SystemServi ce()

Bit 13

Bit 14

0

0

0

1

1

0

1

1

Routine Index

8)132

13 12

BitO

KeScrviceDcscriptorTable

PDWORD

Ki Servi ceTable;

PDWORD

fi eld2;

DWORD

nEntri es;

PBYTE

Ki Argumentlable;

KiServiceTalile

KeServiceDescriplorTableShadow

W32pServiceTable

PDWORD KiServiceTable;

PDWORD field2;

DWORD nEntfies;

PBYTE Ki ArgumentTable;

PDWORD W32pServiceTable;

PDWORD field2;

DWORD nEntries;

PBYTE W32pArgumentTable;

Figure 4.13

Even though four descriptor tables are possible (e.g., two bits can assume one

of four values), it would seem that there are two service descriptor tables that

have visible symbols in kernel space. You can see this for yourself by using

the following command during a kernel debugging session:

kd> dt nt!*descriptortable* -v

Enumerating symbols matching nt!*descriptortable*

Address Size Symbol

81939900 000 ntlKeServiceDescriptorTableShadow (no type info)

819398c0 000 rt!KeServiceDescriptorTable (no type info)

Parti I 161