Quantcast
Channel: windows deep internals
Viewing all articles
Browse latest Browse all 264

how to find nt!KeServiceDescriptorTableFilter

$
0
0
Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
     test    dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
     jnz     short loc_6CAD9D

...
loc_6CAD9D:
     mov     dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter

But we can used signatures search for part of test dword ptr [edi+2E8h], 18000h.
We first need to find offset to EPROCESS.Flags3. This can be done from exported function PsIsProcessCommitRelinquished:
  mov     edi, edi
  push    ebp
  mov     ebp, esp
  mov     eax, [ebp+arg_0]
  mov     eax, [eax+2E8h]
  shr     eax, 12h
  and     al, 1


nothing special, bit of disasm and we have EPROCESS.Flags3 YYXX. Next search bytes
XX YY 00 00 00 80 01 00
in PAGE section. Follow jnz and you`ll get KeServiceDescriptorTableFilter

Viewing all articles
Browse latest Browse all 264

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>