Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Re: How to access named kernel object created by user mode applicati on in kernel driver?

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Yes, U are right. I meant to say ZwCreateEvent() not the other ones.


Prasad Dabak wrote:

> Hello,
>
> At least on my machine NT 4.0 SP5, ZwOpenMutant and
> ZwOpenSemaphore are not exported by NTOSKRNL.EXE.
>
> I did the dumpbin /exports on NTOSKRNL.EXE
>
> -Prasad
>
> --- Prokash Sinha <[email protected]> wrote:
> > I was able to see that they were exported.
> >
> > Just do a dumpbin /exports on the file.
> >
> > rgds
> >
> > prokash
> >
> > Prasad Dabak wrote:
> >
> > > Hello,
> > >
> > > For event, you can use ZwOpenEvent call.
> > >
> > > For Semaphore & Mutant, ZwOpenSemaphore and
> > > ZwOpenMutant can be
> > > used. However the problem is, these Zwxx calls are
> > not
> > > exported
> > > by NTOSKRNL.EXE.
> > >
> > > Hence you need to write these Zwxx wrappers
> > yourself.
> > >
> > > All the Zwxx calls are nothing but the wrapper
> > > functions which
> > > fills in the EAX register with the unique service
> > id,
> > > fills in
> > > the EDX register with pointer to stack frame and
> > > issues interrupt
> > > 2eh. In the end, appropriate number of parameter
> > bytes
> > > are popped
> > > off the stack.
> > >
> > > Hence you can write your own Zwxx wrappers as
> > follows.
> > >
> > > _declspec(naked) NTSTATUS NTAPI
> > ZwOpenSemaphore(param
> > > list)
> > > {
> > > _asm {
> > > mov eax, 57h
> > > lea edx, [esp+4]
> > > int 2eh
> > > ret 0Ch
> > > }
> > > }
> > >
> > > _declspec(naked) NTSTATUS NTAPI ZwOpenMutant(param
> > > list)
> > > {
> > > _asm {
> > > mov eax, 52h
> > > lea edx, [esp+4]
> > > int 2eh
> > > ret 0Ch
> > > }
> > > }
> > >
> > > The above code is written assuming the machine is
> > NT
> > > 4.0
> > > SP5 and hence is coupled to OS version. The
> > service
> > > ids
> > > for Zwxx calls (57h & 52h) can change between OS
> > > versions
> > > and some times between service packs.
> > >
> > > To make the above code version independent, one
> > needs
> > > to
> > > find out the service ids dynamically.
> > >
> > > This can be done as follows.
> > >
> > > The user mode NTDLL.DLL exports all the Ntxx
> > wrapper
> > > functions (identical to Zwxx wrappers) for all the
> > > system
> > > services. One can find the service id of the
> > > particular
> > > system service by walking the code of these
> > wrapper
> > > functions.
> > >
> > > e.g To find service id of ZwOpenMutant one can do
> > the
> > > following
> > >
> > > unsigned char *ptr;
> > >
> > > ptr=(unsigned char *)
> > > GetProcAddress(GetModuleHandle("NTDLL.DLL"),
> > > "NtOpenMutant");
> > > //ptr + 1 will skip the 'MOV EAX' instruction
> > opcode
> > > and ULONG
> > > //at that location will be the service id
> > > ServiceId=*((ULONG *)(ptr+1))
> > >
> > > This service id can be then be passed to kernel
> > mode
> > > using some
> > > communication method (DeviceIoControl)
> > >
> > > Hope this helps.
> > >
> > > -Prasad
> > >
> > > --- "CHENG, WEI CHI (LNG)"
> > > <[email protected]> wrote:
> > > > Hi all,
> > > >
> > > > I have a user mode application that uses the
> > > > SWMRG(single writer multiple
> > > > readers guard) as implemented in chap 10 of
> > Advanced
> > > > windows to protect a
> > > > named memory mapped file.
> > > >
> > > > In the kernel mode file filter driver, I need to
> > > > access the memory mapped
> > > > file. In ZwOpenSection, we can pass an
> > > > ObjectAttributes that encapsulates
> > > > the name. However, I did not know how to do that
> > for
> > > > Mutex, Event &
> > > > Semaphore kernel objects.
> > > >
> > > > Any idea ?
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Jack(Wei-Chi) Cheng
> > > > Lexis-Nexis DCE Support Team
> > > > email: [email protected]
> > > > phone: 937-8656800 x 4028
> > > >
> > > >
> > > > ---
> > > > You are currently subscribed to ntfsd as:
> > > > [email protected]
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > > >
> > >
> > > =====
> > > Prasad S. Dabak
> > > Director of Engineering, Windows NT/2000 Division
> > > Cybermedia Software Private Limited
> > > http://www.cybermedia.co.in
> > > Co-author of the book "Undocumented Windows NT"
> > > ISBN 0764545698
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Talk to your friends online with Yahoo! Messenger.
> > > http://im.yahoo.com
> > >
> > > ---
> > > You are currently subscribed to ntfsd as:
> > [email protected]
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ---
> > You are currently subscribed to ntfsd as:
> > [email protected]
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
>
> =====
> Prasad S. Dabak
> Director of Engineering, Windows NT/2000 Division
> Cybermedia Software Private Limited
> http://www.cybermedia.co.in
> Co-author of the book "Undocumented Windows NT"
> ISBN 0764545698
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> ---
> You are currently subscribed to ntfsd as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online