Win32k.SYS system call table

Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking  system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.

Considering the above facts, the popularity of a (mostly) full  system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.

What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls – exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work,  a need to access information about system calls IDs greater than 0x1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!

The current version of the Windows Graphical System Call List can be found under the following address:

Read moreWin32k.SYS system call table

Unexported SSDT functions finding method

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn’t been invented and described by some independent authors a few months/years ago. If some of you – the readers – is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let’s get to the point…

The subject of practical vulnerability exploitation of the system kernel or one of its modules is simply too wide to entirely talk it over here. The technical aspects of making use of such vulnerabilities have already been described by a number of researchers, and the results of their work can be found, inter alia, there:

Read moreUnexported SSDT functions finding method