关于SSDT - 润新知

关于SSDT

百度上比较好的解释是：SSDT的全称是System Services Descriptor Table，系统服务描述符表。这个表就是一个把ring3的Win32 API和ring0的内核API联系起来。SSDT并不仅仅只包含一个庞大的地址索引表，它还包含着一些其它有用的信息，诸如地址索引的基地址、服务函数个数等。

说白了，SSDT就是把系统两个不同级别的函数给关联起来，因为为了安全需要，我们平常所使用的API函数基本都是在ring3下的函数，ring3的级别比较低，但是有些涉及到系统底层的函数怎么办呢？Windows就给出一个SSDT表，把ring3和ring0的函数给关联起来，这样，我们就通过使用ring3的函数就可以直接做一些底层操作了。

好吧，既然有这个东西，谁最关心呢？当然是杀毒软件最关心了，因为为了阻止某些病毒不让他破坏系统的底层，杀毒软件会把SSDT中的地址给修改并转向，这样，当病毒或程序调用这些函数的时候，就无法找到真正的对应函数，从而调用失败。

不过这玩意已经没有什么神秘的了，道高一尺魔高一丈，现在的病毒已经可以绕过SSDT去直接调用底层函数了，或者说可以找出底层函数的真实地址了，这里，我们就简单利用KeServiceDescriptorTable这个函数来读取系统的SSDT表吧。

完整代码如下：

#include "stdafx.h" 
#include <windows.h> 
#include <iostream> 
using namespace std; 
  
#define RVATOVA(base,offset)             ((PVOID)((DWORD)(base)+(DWORD)(offset))) 
#define ibaseDD *(PDWORD)&ibase 
#define STATUS_INFO_LENGTH_MISMATCH      ((NTSTATUS)0xC0000004L) 
#define NT_SUCCESS(Status)               ((NTSTATUS)(Status) >= 0) 
  
  
typedef struct { 
    WORD    offset:12; 
    WORD    type:4; 
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY; 
  
  
typedef LONG NTSTATUS; 
  
long ( __stdcall *NtQuerySystemInformation )( DWORD, PVOID, DWORD, DWORD ); 
  
typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11 
    ULONG    Reserved[2]; 
    PVOID    Base; 
    ULONG    Size; 
    ULONG    Flags; 
    USHORT    Index; 
    USHORT    Unknown; 
    USHORT    LoadCount; 
    USHORT    ModuleNameOffset; 
    CHAR    ImageName[256]; 
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION; 
  
typedef struct { 
    DWORD    dwNumberOfModules; 
    SYSTEM_MODULE_INFORMATION    smi; 
} MODULES, *PMODULES; 
  
#define    SystemModuleInformation    11 
  
  
  
  
DWORD GetHeaders(PCHAR ibase, 
                 PIMAGE_FILE_HEADER *pfh, 
                 PIMAGE_OPTIONAL_HEADER *poh, 
                 PIMAGE_SECTION_HEADER *psh) 
                   
{ 
    PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase; 
      
    if    ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE) ||         
        (ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) 
        return FALSE; 
      
    *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew]; 
    if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE)  
        return FALSE; 
    *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE)); 
      
    *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER)); 
    if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) 
        return FALSE; 
      
    *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER)); 
    return TRUE; 
} 
  
  
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT) 
{ 
    PIMAGE_FILE_HEADER    pfh; 
    PIMAGE_OPTIONAL_HEADER    poh; 
    PIMAGE_SECTION_HEADER    psh; 
    PIMAGE_BASE_RELOCATION    pbr; 
    PIMAGE_FIXUP_ENTRY    pfe;     
      
    DWORD    dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable; 
    BOOL    bFirstChunk; 
      
    GetHeaders((char *)hModule,&pfh,&poh,&psh); 
      
    // loop thru relocs to speed up the search 
    if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) && 
        (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) { 
          
        pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule); 
          
        bFirstChunk=TRUE; 
        // 1st IMAGE_BASE_RELOCATION.VirtualAddress of ntoskrnl is 0 
        while (bFirstChunk || pbr->VirtualAddress) { 
            bFirstChunk=FALSE; 
              
            pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION)); 
              
            for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) { 
                if (pfe->type==IMAGE_REL_BASED_HIGHLOW) { 
                    dwFixups++; 
                    dwPointerRva=pbr->VirtualAddress+pfe->offset; 
                    // DONT_RESOLVE_DLL_REFERENCES flag means relocs aren't fixed 
                    dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase; 
                      
                    // does this reloc point to KeServiceDescriptorTable.Base? 
                    if (dwPointsToRva==dwKSDT) { 
                        // check for mov [mem32],imm32. we are trying to find  
                        // "mov ds:_KeServiceDescriptorTable.Base, offset _KiServiceTable" 
                        // from the KiInitSystem. 
                        if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7) { 
                            // should check for a reloc presence on KiServiceTable here 
                            // but forget it 
                            dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase; 
                            return dwKiServiceTable; 
                        } 
                    } 
                      
                }  
            } 
            *(PDWORD)&pbr+=pbr->SizeOfBlock; 
        } 
    }     
      
      
      
    return 0; 
} 
  
  
int EnumSSDT() 
{ 
    HMODULE  hKernel; 
    DWORD    dwKSDT;                // rva of KeServiceDescriptorTable 
    DWORD    dwKiServiceTable;    // rva of KiServiceTable 
    PMODULES    pModules=(PMODULES)&pModules; 
    DWORD    dwNeededSize,rc; 
    DWORD    dwKernelBase,dwServices=0; 
    PCHAR    pKernelName; 
    PDWORD    pService; 
    PIMAGE_FILE_HEADER    pfh; 
    PIMAGE_OPTIONAL_HEADER    poh; 
    PIMAGE_SECTION_HEADER    psh; 
    NtQuerySystemInformation = (long(__stdcall*)(DWORD,PVOID,DWORD,DWORD))GetProcAddress( GetModuleHandle( "ntdll.dll" ),"NtQuerySystemInformation" );  
    //通过NtQuerySystemInformation取得系统内核文件，判断为是ntoskrnl.exe ntkrnlmp.exe ntkrnlpa.exe 
    rc=NtQuerySystemInformation(SystemModuleInformation,pModules,4,(ULONG)&dwNeededSize); 
    if (rc==STATUS_INFO_LENGTH_MISMATCH) //如果内存不够 
    { 
        pModules=(PMODULES)GlobalAlloc(GPTR,dwNeededSize) ; //重新分配内存 
        rc=NtQuerySystemInformation(SystemModuleInformation,pModules,dwNeededSize,NULL); //系统内核文件是总是在第一个，枚举1次 
    }  
      
    if (!NT_SUCCESS(rc)) 
    { 
        cout << "NtQuerySystemInformation() Failed !\n"; //NtQuerySystemInformation执行失败，检查当前进程权限 
        return 0; 
    } 
      
    dwKernelBase=(DWORD)pModules->smi.Base;   // imagebase 
    pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName; 
    hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES);     // 映射ntoskrnl //高  
    if (!hKernel) 
    { 
        cout << "Failed to load \n"; 
        return 0;         
    } 
    GlobalFree(pModules); 
    if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) //在内核文件中查找KeServiceDescriptorTable地址 
    { 
        cout << "Can't find KeServiceDescriptorTable\n"; 
        return 0; 
    } 
      
    dwKSDT-=(DWORD)hKernel;       // 获取 KeServiceDescriptorTable RVA 
    if (!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT)))   // 获取KiServiceTable地址 
    { 
        cout << "Can't find KiServiceTable...\n"; 
        return 0; 
    } 
      
    GetHeaders((char *)hKernel,&pfh,&poh,&psh);  
      
    int dwIndex=0; 
    for (pService=(PDWORD)((DWORD)hKernel+dwKiServiceTable); 
        *pService-poh->ImageBase<poh->SizeOfImage; 
        pService++,dwServices++,dwIndex++) 
    { 
        printf("0x%03X-0x%08X\n",dwIndex,*pService-poh->ImageBase+dwKernelBase);   //SSDT索引和地址 
    } 
    FreeLibrary(hKernel); 
    return 1; 
} 
  
  
  
int main() 
{ 
    EnumSSDT(); 
  
    system("pause"); 
    return 0; 
}