4,6 The Native API

kd> dds KeServiceDescriptorTable L4

8l9398c0 8187a890 ntIKiServiceTable

S19398C4 00000000

819398C8 00000191

819398CC 8187aebO nt! Ki AirgumentTabl 6

The first 32 bytes of the KeServi ceDescri ptorTabl eShadow Structure includes

two SSTs. The first SST is just a duplicate of the one in KeServi ceDescri p-

torTable. The second SST describes the SSDT for the USER and GDI

routines implemented by the Win32k.sys kernel-mode driver. These are all the

functions that take care of the Windows GUI. There are quite of few of these

routines, 772 to be exact, but we will be focusing most of our attention on the

Native API.

kd> dds KeServiceDescriptorTableShadow L8

81939900 8187a890 nt!KIServlceTable

81939904 00000000

81939908 00000191

8193990c 8187aeb0 nt!KiArgumentTable

81939910 9124b000 win32k!W32pServiceTable

81939914 00000000

81939918 00000339

8193991c 9124bf20 wir32k!W32pArgumentTable

PlSibE

Microsoft doesn't seem to appreciate it when you broach the subject of service descriptor

tables on their MSDN Forums. Just for grins, here's a response that one of the employees at

Microsoft gave to someone who had a question about KeServi ceDescri ptorTabl e.

"KeServiceDescriptorTable is not documented and whatyou are trying todoisa

really bad idea, better ask the people who provided you with the definition of KeService¬

DescriptorTable

Enumerating the Native API

Now that we know where the Native API SSDT is located and how big it is,

dumping it to the console is a piece of cake.

kd> dps KiServiceTable L191

8187a890 819c5891 nt!NtAcceptConnectPort

8187a894 818a5bff nt!NtAccessCheck

8187a898 819dd579 nt!NtAccessCheckAndAuditAlarm

Part! I 163