Hello,
For event, you can use ZwOpenEvent call.
For Semaphore & Mutant, ZwOpenSemaphore and
ZwOpenMutant can be
used. However the problem is, these Zwxx calls are not
exported
by NTOSKRNL.EXE.
Hence you need to write these Zwxx wrappers yourself.
All the Zwxx calls are nothing but the wrapper
functions which
fills in the EAX register with the unique service id,
fills in
the EDX register with pointer to stack frame and
issues interrupt
2eh. In the end, appropriate number of parameter bytes
are popped
off the stack.
Hence you can write your own Zwxx wrappers as follows.
_declspec(naked) NTSTATUS NTAPI ZwOpenSemaphore(param
list)
{
_asm {
mov eax, 57h
lea edx, [esp+4]
int 2eh
ret 0Ch
}
}
_declspec(naked) NTSTATUS NTAPI ZwOpenMutant(param
list)
{
_asm {
mov eax, 52h
lea edx, [esp+4]
int 2eh
ret 0Ch
}
}
The above code is written assuming the machine is NT
4.0
SP5 and hence is coupled to OS version. The service
ids
for Zwxx calls (57h & 52h) can change between OS
versions
and some times between service packs.
To make the above code version independent, one needs
to
find out the service ids dynamically.
This can be done as follows.
The user mode NTDLL.DLL exports all the Ntxx wrapper
functions (identical to Zwxx wrappers) for all the
system
services. One can find the service id of the
particular
system service by walking the code of these wrapper
functions.
e.g To find service id of ZwOpenMutant one can do the
following
unsigned char *ptr;
ptr=(unsigned char *)
GetProcAddress(GetModuleHandle(“NTDLL.DLL”),
“NtOpenMutant”);
//ptr + 1 will skip the ‘MOV EAX’ instruction opcode
and ULONG
//at that location will be the service id
ServiceId=*((ULONG *)(ptr+1))
This service id can be then be passed to kernel mode
using some
communication method (DeviceIoControl)
Hope this helps.
-Prasad
— “CHENG, WEI CHI (LNG)”
wrote:
> Hi all,
>
> I have a user mode application that uses the
> SWMRG(single writer multiple
> readers guard) as implemented in chap 10 of Advanced
> windows to protect a
> named memory mapped file.
>
> In the kernel mode file filter driver, I need to
> access the memory mapped
> file. In ZwOpenSection, we can pass an
> ObjectAttributes that encapsulates
> the name. However, I did not know how to do that for
> Mutex, Event &
> Semaphore kernel objects.
>
> Any idea ?
>
> Thanks,
>
>
> Jack(Wei-Chi) Cheng
> Lexis-Nexis DCE Support Team
> email: xxxxx@lexis-nexis.com
> phone: 937-8656800 x 4028
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
>
=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com