For event, you can use ZwOpenEvent call.
For Semaphore & Mutant, ZwOpenSemaphore and
ZwOpenMutant can be
used. However the problem is, these Zwxx calls are not
Hence you need to write these Zwxx wrappers yourself.
All the Zwxx calls are nothing but the wrapper
fills in the EAX register with the unique service id,
the EDX register with pointer to stack frame and
2eh. In the end, appropriate number of parameter bytes
off the stack.
Hence you can write your own Zwxx wrappers as follows.
_declspec(naked) NTSTATUS NTAPI ZwOpenSemaphore(param
mov eax, 57h
lea edx, [esp+4]
_declspec(naked) NTSTATUS NTAPI ZwOpenMutant(param
mov eax, 52h
lea edx, [esp+4]
The above code is written assuming the machine is NT
SP5 and hence is coupled to OS version. The service
for Zwxx calls (57h & 52h) can change between OS
and some times between service packs.
To make the above code version independent, one needs
find out the service ids dynamically.
This can be done as follows.
The user mode NTDLL.DLL exports all the Ntxx wrapper
functions (identical to Zwxx wrappers) for all the
services. One can find the service id of the
system service by walking the code of these wrapper
e.g To find service id of ZwOpenMutant one can do the
unsigned char *ptr;
ptr=(unsigned char *)
//ptr + 1 will skip the 'MOV EAX' instruction opcode
//at that location will be the service id
This service id can be then be passed to kernel mode
communication method (DeviceIoControl)
Hope this helps.
--- "CHENG, WEI CHI (LNG)"
> Hi all,
> I have a user mode application that uses the
> SWMRG(single writer multiple
> readers guard) as implemented in chap 10 of Advanced
> windows to protect a
> named memory mapped file.
> In the kernel mode file filter driver, I need to
> access the memory mapped
> file. In ZwOpenSection, we can pass an
> ObjectAttributes that encapsulates
> the name. However, I did not know how to do that for
> Mutex, Event &
> Semaphore kernel objects.
> Any idea ?
> Jack(Wei-Chi) Cheng
> Lexis-Nexis DCE Support Team
> email: [email protected]
> phone: 937-8656800 x 4028
> You are currently subscribed to ntfsd as:
> [email protected]
> To unsubscribe send a blank email to
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limitedhttp://www.cybermedia.co.in
Co-author of the book "Undocumented Windows NT"
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.http://im.yahoo.com