PKSERVICE_TABLE_DESCRIPTOR copySSDTShadow() {
PKSERVICE_TABLE_DESCRIPTOR copyOfSSDTShadow, ssdtShadow;
PEPROCESS pProcess;
PULONG tabFunct , tabSizeArg;
int i , numberItem;
BOOL it = FALSE;
KAPC_STATE apcK;
pProcess = name2Eprocess("explorer.exe");
if(pProcess == NULL)
return NULL;
copyOfSSDTShadow = (PKSERVICE_TABLE_DESCRIPTOR)ExAllocatePoolWithTag(NonPagedPool , sizeof(KSERVICE_TABLE_DESCRIPTOR)*3 , 'tapz');
if(copyOfSSDTShadow == NULL)
return NULL;
memset(copyOfSSDTShadow , 0 , sizeof(KSERVICE_TABLE_DESCRIPTOR)*3);
ssdtShadow = getSsdtShadow();
if(ssdtShadow == NULL)
return NULL;
KeStackAttachProcess((PKPROCESS)pProcess, &apcK);
for(i = 0 ; i < 2 ; i++)
{
if(i == 1)
it = TRUE;
numberItem = ssdtShadow[i].Limit;
copyOfSSDTShadow[i].Base = (PDWORD)ExAllocatePoolWithTag(NonPagedPool , numberItem*sizeof(DWORD) , 'tapz');
if(copyOfSSDTShadow[i].Base == NULL)
{
if(it)
{
ExFreePoolWithTag(copyOfSSDTShadow[i-1].Number , 'tapz');
ExFreePoolWithTag(copyOfSSDTShadow[i-1].Base , 'tapz');
}
ExFreePoolWithTag(copyOfSSDTShadow , 'tapz');
KeUnstackDetachProcess(&apcK);
return NULL;
}
copyOfSSDTShadow[i].Number = (PBYTE)ExAllocatePoolWithTag(NonPagedPool , numberItem*sizeof(BYTE) , 'tapz');
if(copyOfSSDTShadow[i].Number == NULL)
{
if(it)
{
ExFreePoolWithTag(copyOfSSDTShadow[i-1].Number , 'tapz');
ExFreePoolWithTag(copyOfSSDTShadow[i-1].Base , 'tapz');
}
ExFreePoolWithTag(copyOfSSDTShadow , 'tapz');
ExFreePoolWithTag(copyOfSSDTShadow[i].Base , 'tapz');
KeUnstackDetachProcess(&apcK);
return NULL;
}
copyOfSSDTShadow[i].Limit = numberItem;
copyOfSSDTShadow[i].Count = ssdtShadow[i].Count;
memcpy(copyOfSSDTShadow[i].Base , ssdtShadow[i].Base , sizeof(DWORD)*numberItem);
memcpy(copyOfSSDTShadow[i].Number , ssdtShadow[i].Number , sizeof(BYTE)*numberItem);
}
KeUnstackDetachProcess(&apcK);
return copyOfSSDTShadow;
}