Yes, U are right. I meant to say ZwCreateEvent() not the other ones.
Prasad Dabak wrote:
Hello,
At least on my machine NT 4.0 SP5, ZwOpenMutant and
ZwOpenSemaphore are not exported by NTOSKRNL.EXE.I did the dumpbin /exports on NTOSKRNL.EXE
-Prasad
— Prokash Sinha wrote:
> > I was able to see that they were exported.
> >
> > Just do a dumpbin /exports on the file.
> >
> > rgds
> >
> > prokash
> >
> > Prasad Dabak wrote:
> >
> > > Hello,
> > >
> > > For event, you can use ZwOpenEvent call.
> > >
> > > For Semaphore & Mutant, ZwOpenSemaphore and
> > > ZwOpenMutant can be
> > > used. However the problem is, these Zwxx calls are
> > not
> > > exported
> > > by NTOSKRNL.EXE.
> > >
> > > Hence you need to write these Zwxx wrappers
> > yourself.
> > >
> > > All the Zwxx calls are nothing but the wrapper
> > > functions which
> > > fills in the EAX register with the unique service
> > id,
> > > fills in
> > > the EDX register with pointer to stack frame and
> > > issues interrupt
> > > 2eh. In the end, appropriate number of parameter
> > bytes
> > > are popped
> > > off the stack.
> > >
> > > Hence you can write your own Zwxx wrappers as
> > follows.
> > >
> > > _declspec(naked) NTSTATUS NTAPI
> > ZwOpenSemaphore(param
> > > list)
> > > {
> > > _asm {
> > > mov eax, 57h
> > > lea edx, [esp+4]
> > > int 2eh
> > > ret 0Ch
> > > }
> > > }
> > >
> > > _declspec(naked) NTSTATUS NTAPI ZwOpenMutant(param
> > > list)
> > > {
> > > _asm {
> > > mov eax, 52h
> > > lea edx, [esp+4]
> > > int 2eh
> > > ret 0Ch
> > > }
> > > }
> > >
> > > The above code is written assuming the machine is
> > NT
> > > 4.0
> > > SP5 and hence is coupled to OS version. The
> > service
> > > ids
> > > for Zwxx calls (57h & 52h) can change between OS
> > > versions
> > > and some times between service packs.
> > >
> > > To make the above code version independent, one
> > needs
> > > to
> > > find out the service ids dynamically.
> > >
> > > This can be done as follows.
> > >
> > > The user mode NTDLL.DLL exports all the Ntxx
> > wrapper
> > > functions (identical to Zwxx wrappers) for all the
> > > system
> > > services. One can find the service id of the
> > > particular
> > > system service by walking the code of these
> > wrapper
> > > functions.
> > >
> > > e.g To find service id of ZwOpenMutant one can do
> > the
> > > following
> > >
> > > unsigned char *ptr;
> > >
> > > ptr=(unsigned char )
> > > GetProcAddress(GetModuleHandle(“NTDLL.DLL”),
> > > “NtOpenMutant”);
> > > //ptr + 1 will skip the ‘MOV EAX’ instruction
> > opcode
> > > and ULONG
> > > //at that location will be the service id
> > > ServiceId=((ULONG *)(ptr+1))
> > >
> > > This service id can be then be passed to kernel
> > mode
> > > using some
> > > communication method (DeviceIoControl)
> > >
> > > Hope this helps.
> > >
> > > -Prasad
> > >
> > > — “CHENG, WEI CHI (LNG)”
> > > wrote:
> > > > Hi all,
> > > >
> > > > I have a user mode application that uses the
> > > > SWMRG(single writer multiple
> > > > readers guard) as implemented in chap 10 of
> > Advanced
> > > > windows to protect a
> > > > named memory mapped file.
> > > >
> > > > In the kernel mode file filter driver, I need to
> > > > access the memory mapped
> > > > file. In ZwOpenSection, we can pass an
> > > > ObjectAttributes that encapsulates
> > > > the name. However, I did not know how to do that
> > for
> > > > Mutex, Event &
> > > > Semaphore kernel objects.
> > > >
> > > > Any idea ?
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Jack(Wei-Chi) Cheng
> > > > Lexis-Nexis DCE Support Team
> > > > email: xxxxx@lexis-nexis.com
> > > > phone: 937-8656800 x 4028
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as:
> > > > xxxxx@yahoo.com
> > > > To unsubscribe send a blank email to
> > > > $subst(‘Email.Unsub’)
> > > >
> > > >
> > >
> > > =====
> > > Prasad S. Dabak
> > > Director of Engineering, Windows NT/2000 Division
> > > Cybermedia Software Private Limited
> > > http://www.cybermedia.co.in
> > > Co-author of the book “Undocumented Windows NT”
> > > ISBN 0764545698
> > >
> > > Do You Yahoo!?
> > > Talk to your friends online with Yahoo! Messenger.
> > > http://im.yahoo.com
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > xxxxx@interwoven.com
> > > To unsubscribe send a blank email to
> > $subst(‘Email.Unsub’)
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> > $subst(‘Email.Unsub’)
> >
> >
>
> =====
> Prasad S. Dabak
> Director of Engineering, Windows NT/2000 Division
> Cybermedia Software Private Limited
> http://www.cybermedia.co.in
> Co-author of the book “Undocumented Windows NT”
> ISBN 0764545698
>
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@interwoven.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)