page-192

Chapter 4/ System Briefing

Of these two symbols, only KeServi ceDescri ptorTabl e is exported by

ntoskrnl .exe (you can verify this with the dumpbin.exe tool). The other table is

visible only within the confines of the executive.

If bits 12 and 1 3 of the system service number are 0x00 (i.e., the system

service numbers lie in the range 0x0000 - OxOFFF), then the KeServi ceDescri p-

torTable is used. If bits 12 and 13 of the system service number are 0x01

(i.e., the system service numbers lie in the range 0x1000 - 0x1 FFP), then the

KeServi ceDescri ptorTabl eShadow is to be used. The ranges 0x2000-0x2 FFP and

0x3000-0x3FFF don't appear to be assigned to service descriptor tables.

These two service descriptor tables contain substructures known as system

service tables (SSTs). An SST is essentially an address lookup table that can

be defined in terms of the following C structure.

typedef struct _SYSTEM_SERVICE_TABLE

{

PDWORD serviceTable; //array of function pointers

PDWORD fieldZ; //not used in Windows free build

DWORD nEntries; //number of function pointers in SSDT

PBYTE argumentTable; //array of byte counts

}SYSTEM_SERVICE_TABLE;

The servi ceTable field is a pointer to the first element of an array of linear

addresses, where each address is the entry point of a routine in kernel space.

This array of linear addresses is also known as the system service dispatch

table (SSDT; not to be confused with SST). An SSDT is like the real-mode

IVT in spirit, except that it's a Windows-specific data structure. You won't

find references to the SSDT in the Intel IA-32 manuals.

The third field, nEntries, specifies the number of elements in the SSDT array.

The fourth field is a pointer to the first element of an array of bytes, where

each byte in the array indicates the amount of space (in bytes) allocated for

funcdon arguments when the corresponding SSDT routine is invoked. This

last array is sometunes referred to as the system service parameter table

(SSPT). As you can see, there are a lot of acronyms to keep straight here

(SST, SSDT, SSPT, etc.). Try not to let it throw you.

The first 16 bytes of the KeServi ceDescri ptorTabl e is an SST thai describes

the SSDT for the Windows Native API. This is the core system data structure

that we've been looking for. Under Windows 7, it consists of 401 routines

(nEntri es = 0x191).