src/sst.h

1. // (c) Cr4sh
2.  
3. typedef struct
4. {
5.     WORD    offset:12;
6.     WORD    type:4;
7. } IMAGE_FIXUP_ENTRY,
8. *PIMAGE_FIXUP_ENTRY;
9.  
10. // address of SST
11. DWORD sstaddr;
12. // number of services to restore
13. DWORD dwServices;
14.  
15. #define RVATOVA( base, offset )(((DWORD)(base) + (DWORD)(offset)))
16. //--------------------------------------------------------------------------------------
17. // parse PE-header
18. void GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
19. {
20.     PIMAGE_DOS_HEADER mzhead = (PIMAGE_DOS_HEADER)ibase;
21.  
22.     *pfh = (PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
23.  
24.     *pfh = (PIMAGE_FILE_HEADER)((PBYTE)*pfh + sizeof(IMAGE_NT_SIGNATURE));
25.  
26.     *poh = (PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh + sizeof(IMAGE_FILE_HEADER));
27.  
28.     *psh = (PIMAGE_SECTION_HEADER)((PBYTE)*poh + sizeof(IMAGE_OPTIONAL_HEADER));
29. }
30. //--------------------------------------------------------------------------------------
31. // find SST in kernel image
32. DWORD FindKiServiceTable(HMODULE hModule, DWORD dwKSDT)
33. {
34.     PIMAGE_FILE_HEADER      pfh;
35.     PIMAGE_OPTIONAL_HEADER  poh;
36.     PIMAGE_SECTION_HEADER   psh;
37.     PIMAGE_FIXUP_ENTRY      pfe;
38.     BOOL bFirstChunk;
39.     DWORD dwPointerRva;
40.     DWORD dwPointsToRva;
41.     UINT i;
42.     GetHeaders((PCHAR)hModule, &pfh, &poh, &psh);
43.  
44.     if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
45.         (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED)))
46.     {
47.         PIMAGE_BASE_RELOCATION pbr = (PIMAGE_BASE_RELOCATION)
48.             RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress, hModule);
49.        
50.         bFirstChunk = TRUE;
51.  
52.         while (bFirstChunk || pbr->VirtualAddress)
53.         {
54.             bFirstChunk = FALSE;
55.  
56.             pfe = (PIMAGE_FIXUP_ENTRY)((DWORD)pbr + sizeof(IMAGE_BASE_RELOCATION));
57.  
58.             for (i = 0; i < (pbr->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1; i++, pfe++)
59.             {
60.                 if (pfe->type == IMAGE_REL_BASED_HIGHLOW)
61.                 {
62.                     dwPointerRva = pbr->VirtualAddress + pfe->offset;
63.                     dwPointsToRva = *(PDWORD)((DWORD)hModule + dwPointerRva) - (DWORD)poh->ImageBase;
64.  
65.                     if (dwPointsToRva == dwKSDT)
66.                     {
67.                         if (*(PWORD)((DWORD)hModule + dwPointerRva - 2) == 0x05c7)
68.                             return *(PDWORD)((DWORD)hModule + dwPointerRva + 4) - poh->ImageBase;
69.                     }
70.                 }
71.             }
72.             *(PDWORD)&pbr += pbr->SizeOfBlock;
73.         }
74.     }    
75.    
76.     return 0;
77. }
78. //--------------------------------------------------------------------------------------
79. BOOL ReadSST(PDWORD psst)
80. {    
81.     NTSTATUS ns;
82.     DWORD dwKernelBase;
83.     char *pKernelName;
84.     HMODULE hKernel;
85.     DWORD dwKSDT;
86.     PSYSTEM_MODULE_INFORMATION pModules;
87.     DWORD dwNeededSize;
88.     DWORD dwKiServiceTable;
89.     PDWORD pService;
90.    
91.     PIMAGE_FILE_HEADER      pfh;
92.     PIMAGE_OPTIONAL_HEADER  poh;
93.     PIMAGE_SECTION_HEADER   psh;
94.    
95.     pModules = (PSYSTEM_MODULE_INFORMATION)&pModules;
96.     dwNeededSize = 0;
97.    
98. dwServices = 0;
99.  
100.     ns = NtQuerySystemInformation(SystemModuleInformation, pModules, 4, &dwNeededSize);
101.     if (ns == STATUS_INFO_LENGTH_MISMATCH)
102.     {
103.         pModules = (PSYSTEM_MODULE_INFORMATION)VirtualAlloc(NULL, dwNeededSize,
104.             MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
105.         if (pModules == NULL)
106.         {
107.             return FALSE;
108.         }
109.  
110.         ns = NtQuerySystemInformation(SystemModuleInformation, pModules, dwNeededSize, NULL);
111.     }
112.  
113.     if (ns != STATUS_SUCCESS)
114.     {
115.         return FALSE;
116.     }
117.    
118.     dwKernelBase = pModules->aSM[0].Base;
119.     pKernelName = pModules->aSM[0].ModuleNameOffset + pModules->aSM[0].ImageName;
120.     hKernel = LoadLibraryEx(pKernelName, 0, DONT_RESOLVE_DLL_REFERENCES);
121.    
122.     if (hKernel == NULL)
123.     {
124.         return FALSE;
125.     }
126.  
127.     VirtualFree(pModules, 0, MEM_RELEASE);
128.  
129.     if (!(dwKSDT = (DWORD)GetProcAddress(hKernel, "KeServiceDescriptorTable")))
130.     {
131.         return FALSE;
132.     }
133.  
134.     dwKSDT -= (DWORD)hKernel;
135.  
136.     if (!(dwKiServiceTable = FindKiServiceTable(hKernel, dwKSDT)))
137.     {
138.         return FALSE;
139.     }
140.  
141.     GetHeaders((PCHAR)hKernel, &pfh, &poh, &psh);
142.  
143.     pService = (PDWORD)((DWORD)hKernel + dwKiServiceTable);
144.  
145.     for (pService = (PDWORD)((DWORD)hKernel + dwKiServiceTable);
146.         *pService-poh->ImageBase < poh->SizeOfImage;
147.         pService++, dwServices++)
148.     {
149.         psst[dwServices] = *pService - poh->ImageBase + dwKernelBase;
150.     }
151.  
152.     sstaddr = (DWORD)(dwKernelBase + dwKSDT);
153.  
154.     FreeLibrary(hKernel);
155.  
156.     return TRUE;
157. }
158. //--------------------------------------------------------------------------------------
159. // EoF
160.