The win32k system call numbers start with 0x1000

BeneficialCode · Jul 7, 2024 · ce25143 · ce25143
1 parent f479fcd
commit ce25143
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 19 deletions.
diff --git a/KernelLibrary/khook.cpp b/KernelLibrary/khook.cpp
@@ -386,6 +386,7 @@ bool khook::HookSSDT(const char* apiName, void* newfunc) {
 		_info->Index = index;
 		_info->Old = oldValue;
 		_info->New = newValue;
+		// The lower 4 bits store the number of arguments passed on the stack to the system call
 		_info->OriginalAddress = (oldValue >> 4) + base;
 #else
 		newValue = (ULONG)newfunc;

diff --git a/KernelLibrary/khook.h b/KernelLibrary/khook.h
@@ -175,20 +175,6 @@ enum class HookType {
     ShadowSSDT
 };
 
-//#define VIRTUAL_ADDRESS_BITS 48
-//#define VIRTUAL_ADDRESS_MASK ((((ULONG_PTR)1) << VIRTUAL_ADDRESS_BITS) - 1)
-//
-//#define MiGetPteAddress(va) \
-//    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PTI_SHIFT) << PTE_SHIFT) + PTE_BASE))
-//
-//#define MiGetPxeAddress(va)   ((PMMPTE)PXE_BASE + MiGetPxeOffset(va))
-//
-//#define MiGetPpeAddress(va)   \
-//    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PPI_SHIFT) << PTE_SHIFT) + PPE_BASE))
-//
-//#define MiGetPdeAddress(va)  \
-//    ((PMMPTE)(((((ULONG_PTR)(va) & VIRTUAL_ADDRESS_MASK) >> PDI_SHIFT) << PTE_SHIFT) + PDE_BASE))
-
 class khook{
 public:
 

diff --git a/WinArk/KernelHookView.cpp b/WinArk/KernelHookView.cpp
@@ -60,9 +60,10 @@ LRESULT CKernelHookView::OnSize(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lPara
 	return 0;
 }
 
+// System Service Dispatch Table
 void CKernelHookView::InitSSDTHookTable() {
 	BarDesc bars[] = {
-		{12,"Service Number",0},
+		{20,"System Call Number",0},
 		{55,"Service Name",0},
 		{20,"Original Address",0},
 		{10,"Is Hook",0},
@@ -97,7 +98,7 @@ void CKernelHookView::InitSSDTHookTable() {
 
 void CKernelHookView::InitShadowSSDTHookTable() {
 	BarDesc bars[] = {
-		{15,"Service Number",0},
+		{20,"System Call Number",0},
 		{55,"Service Name",0},
 		{20,"Original Address",0},
 		{10,"Is Hook",0},

diff --git a/WinArk/NtDll.h b/WinArk/NtDll.h
@@ -1,7 +1,5 @@
 #pragma once
 
-//#include <winternl.h>
-
 #pragma comment(lib, "ntdll")
 
 #define DIRECTORY_QUERY                 (0x0001)

diff --git a/WinArk/SSDTHookTable.cpp b/WinArk/SSDTHookTable.cpp
@@ -173,6 +173,7 @@ ULONG_PTR CSSDTHookTable::GetOrignalAddress(DWORD number) {
 	uintptr_t rva = (uintptr_t)_KiServiceTable - (uintptr_t)_kernelBase;
 	ULONG_PTR imageBase = (ULONG_PTR)_fileMapVA;
 #ifdef _WIN64
+	// On 64-bit Windows systems, the stored values in SSDT are not absolute address
 	auto CheckAddressMethod = [&]()->bool {
 		auto pEntry = (char*)_fileMapVA + rva + 8 * number;
 		ULONGLONG value = *(ULONGLONG*)pEntry;

diff --git a/WinArk/ShadowSSDTTable.cpp b/WinArk/ShadowSSDTTable.cpp
@@ -117,7 +117,8 @@ int CShadowSSDTHookTable::ParseTableEntry(CString& s, char& mask, int& select, S
 	switch (column)
 	{
 		case 0:
-			s.Format(L"%d (0x%-x)", info.ServiceNumber, info.ServiceNumber);
+			// The win32k system call numbers start with 0x1000
+			s.Format(L"%d (0x%-x)", info.ServiceNumber + 0x1000, info.ServiceNumber + 0x1000);
 			break;
 		case 1:
 			s = Helpers::StringToWstring(info.ServiceFunctionName).c_str();