To bypass SSDT hook, you do it by allocating a section of memory to the size of KeServiceDescriptorTable->TableSize*4. TableSize returns the number of entries and you multiply that by four because each entry is 4 bytes long. So anyway, once you've got your memory allocated you copy the original table into the new table and then change the tables base address to that of the new address. And you do the same for the shadow table.
If GameGuard is so arrogant on the address of ServiceTable base address, we can change it, without them knowing. So this is what I will do:
- Allocate KeServiceDescriptorTable->TableSize*sizeof( PVOID ) byte of memory
- Copy KeServiceDescriptorTable->ServiceTable into the memory
- Set KeServiceDescriptorTable->ServiceTable to point to the memory.
- Wait for GameGuard to load, they will hook the memory allocated instead of the real SSDT
- Restore KeServiceDescriptorTable->ServiceTable with the original address.
- Do the same to KeServiceDescriptorTableShadow?.
Ok thats what i got soo far:
ULONG size;
unsigned realTable;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("Driver Loaded!");
PVOID *faekTable; size = KeServiceDescriptorTable->TableSize*4;
realTable = (unsigned)KeServiceDescriptorTable->ServiceTable;
faekTable = ExAllocatePoolWithTag(0, size, 0x31323334);
memcpy(faekTable, KeServiceDescriptorTable->ServiceTable, size);
(unsigned)KeServiceDescriptorTable->ServiceTable = (unsigned)&faekTable; //Found GG //Sleep(20000); (unsigned)KeServiceDescriptorTable->ServiceTable = realTable;
return STATUS_SUCCESS;
}
Author: c0lo