_KTHREAD::ServiceTable hook detection macro for kd/windbg

gistfile1.txt

$$ enum active proceses
r $t0 = nt!PsActiveProcessHead

.for (r $t1 = poi(@$t0);
      (@$t1 != 0) & (@$t1 != @$t0);
      r $t1 = poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, 
        ActiveProcessLinks)

    as /x ${/v:$Procc} @$t2

    $$  Get image name into $ImageName.
    as /ma ${/v:$ImageName} @@c++(&@$t2->ImageFileName[0])

    .block
    {
        .echo ${$Procc}: ${$ImageName}
        .echo Active threads:
    }

    $$ enum process threads
    r? $t3 = (nt!_LIST_ENTRY *)&@$t2->ThreadListHead;

    .for (r $t4 = poi(@$t3);
          (@$t4 != 0) & (@$t4 != @$t3);
          r $t4 = poi(@$t4))
    {
        r? $t5 = #CONTAINING_RECORD(@$t4, nt!_ETHREAD,  
            ThreadListEntry)

        r? $t5 = (nt!_KTHREAD *)@$t5

        $$ get ServiceTable field value
        r $t6 = @@c++(@$t5->ServiceTable)

        r $t7 = nt!KeServiceDescriptorTable
        r $t8 = nt!KeServiceDescriptorTableShadow

        as /x ${/v:$Kthread} @$t5
        as /x ${/v:$SDT} @$t6

        .block 
        {
            .echo ${$Kthread} ServiceTable = ${$SDT}
        }

        $$ check service table pointer
        .if ((@$t6 != @$t7) & (@$t6 != @$t8))
        {
            .block
            {
                .echo !!! Changed value of KTHREAD::ServiceTable
            }
        }

        ad ${/v:$Kthread}
        ad ${/v:$SDT}
    }

    ad ${/v:$ImageName}
    ad ${/v:$Procc}
}