hi,
osr has a kernel debugger extension which gives us the list of native apis
with their names and ordinals, i am curious how they did it, if i know
correctly this ssdt is os dependent and might change from os to os.
can anyone tell me the logic?
B
>>can anyone tell me the logic?
What exactly is *the* motive?
>if i know correctly this ssdt is os dependent and might change from os to os.
SSDT simplay can be treated as a table of function pointer, where none of the function is exported.
do you mean that the placement of SSDT can change from os to os.
>What exactly is *the* motive?
learning is the motive. When we debug into the kernel, we see a placeholder
for function pointers for all calls, but they are just pointers, how does
the OSR extension fetch the names is what makes me curious…
do you mean that the placement of SSDT can change from os to os.
i think even the order of the functions can change from os to os? so in one
os is ordinal 0x12 is (say) NtCreatefile it is not guaranteed that in
another version/service pack 0x12 will still remain as NtCreateFile, is that
correct??
On Mon, Nov 23, 2009 at 8:21 PM, wrote:
> >>can anyone tell me the logic?
>
> What exactly is the motive?
>
> >>if i know correctly this ssdt is os dependent and might change from os to
> os.
>
> SSDT simplay can be treated as a table of function pointer, where none of
> the function is exported.
>
> do you mean that the placement of SSDT can change from os to os.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
What OSR extension is this? They don’t list a debug extension that I know
of in the downloads. As far as how things work, you have a lot of data
with the PDB files (even the limited ones Microsoft provides us), and you
have access to ntdll.dll which if disassembled can give you the offsets.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Bedanto” wrote in message news:xxxxx@ntdev…
> >What exactly is the motive?
>
> learning is the motive. When we debug into the kernel, we see a
> placeholder
> for function pointers for all calls, but they are just pointers, how does
> the OSR extension fetch the names is what makes me curious…
>
>>do you mean that the placement of SSDT can change from os to os.
> i think even the order of the functions can change from os to os? so in
> one
> os is ordinal 0x12 is (say) NtCreatefile it is not guaranteed that in
> another version/service pack 0x12 will still remain as NtCreateFile, is
> that
> correct??
>
>
>
>
>
> On Mon, Nov 23, 2009 at 8:21 PM, wrote:
>
>> >>can anyone tell me the logic?
>>
>> What exactly is the motive?
>>
>> >>if i know correctly this ssdt is os dependent and might change from os
>> >>to
>> os.
>>
>> SSDT simplay can be treated as a table of function pointer, where none of
>> the function is exported.
>>
>> do you mean that the placement of SSDT can change from os to os.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4630 (20091123)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4630 (20091123)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
>What OSR extension is this?
it is called osrexts.dll, load it and run !osrexts.sst
ooh so they use dbghelp.dll, i thought they did it programatically…
so don, was my assumption correct abtdff os versions having different
ordinals for the same functioN?
On Mon, Nov 23, 2009 at 8:26 PM, Don Burn wrote:
> What OSR extension is this? They don’t list a debug extension that I know
> of in the downloads. As far as how things work, you have a lot of data
> with the PDB files (even the limited ones Microsoft provides us), and you
> have access to ntdll.dll which if disassembled can give you the offsets.
>
>
> –
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> “Bedanto” wrote in message news:xxxxx@ntdev…
> > >What exactly is the motive?
> >
> > learning is the motive. When we debug into the kernel, we see a
> > placeholder
> > for function pointers for all calls, but they are just pointers, how does
> > the OSR extension fetch the names is what makes me curious…
> >
> >>do you mean that the placement of SSDT can change from os to os.
> > i think even the order of the functions can change from os to os? so in
> > one
> > os is ordinal 0x12 is (say) NtCreatefile it is not guaranteed that in
> > another version/service pack 0x12 will still remain as NtCreateFile, is
> > that
> > correct??
> >
> >
> >
> >
> >
> > On Mon, Nov 23, 2009 at 8:21 PM, wrote:
> >
> >> >>can anyone tell me the logic?
> >>
> >> What exactly is the motive?
> >>
> >> >>if i know correctly this ssdt is os dependent and might change from os
> >> >>to
> >> os.
> >>
> >> SSDT simplay can be treated as a table of function pointer, where none
> of
> >> the function is exported.
> >>
> >> do you mean that the placement of SSDT can change from os to os.
> >>
> >> —
> >> NTDEV is sponsored by OSR
> >>
> >> For our schedule of WDF, WDM, debugging and other seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
> >
> >
> > Information from ESET NOD32 Antivirus, version of virus
> > signature database 4630 (20091123)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4630 (20091123)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Not only do they change for OS versions in the past they changed with
service packs and even a few times with hotfixes. This is high on the list
of why hooking is a bad idea, but since there are so many items competing to
be on that list high is relative.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Bedanto” wrote in message news:xxxxx@ntdev…
> >What OSR extension is this?
>
> it is called osrexts.dll, load it and run !osrexts.sst
>
>
> ooh so they use dbghelp.dll, i thought they did it programatically…
>
>
> so don, was my assumption correct abtdff os versions having different
> ordinals for the same functioN?
>
>
>
> On Mon, Nov 23, 2009 at 8:26 PM, Don Burn wrote:
>
>> What OSR extension is this? They don’t list a debug extension that I
>> know
>> of in the downloads. As far as how things work, you have a lot of data
>> with the PDB files (even the limited ones Microsoft provides us), and you
>> have access to ntdll.dll which if disassembled can give you the offsets.
>>
>>
>> –
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> “Bedanto” wrote in message news:xxxxx@ntdev…
>> > >What exactly is the motive?
>> >
>> > learning is the motive. When we debug into the kernel, we see a
>> > placeholder
>> > for function pointers for all calls, but they are just pointers, how
>> > does
>> > the OSR extension fetch the names is what makes me curious…
>> >
>> >>do you mean that the placement of SSDT can change from os to os.
>> > i think even the order of the functions can change from os to os? so in
>> > one
>> > os is ordinal 0x12 is (say) NtCreatefile it is not guaranteed that in
>> > another version/service pack 0x12 will still remain as NtCreateFile, is
>> > that
>> > correct??
>> >
>> >
>> >
>> >
>> >
>> > On Mon, Nov 23, 2009 at 8:21 PM, wrote:
>> >
>> >> >>can anyone tell me the logic?
>> >>
>> >> What exactly is the motive?
>> >>
>> >> >>if i know correctly this ssdt is os dependent and might change from
>> >> >>os
>> >> >>to
>> >> os.
>> >>
>> >> SSDT simplay can be treated as a table of function pointer, where none
>> of
>> >> the function is exported.
>> >>
>> >> do you mean that the placement of SSDT can change from os to os.
>> >>
>> >> —
>> >> NTDEV is sponsored by OSR
>> >>
>> >> For our schedule of WDF, WDM, debugging and other seminars visit:
>> >> http://www.osr.com/seminars
>> >>
>> >> To unsubscribe, visit the List Server section of OSR Online at
>> >> http://www.osronline.com/page.cfm?name=ListServer
>> >>
>> >
>> >
>> >
>> > Information from ESET NOD32 Antivirus, version of virus
>> > signature database 4630 (20091123)
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4630 (20091123)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4630 (20091123)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4630 (20091123)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
That’s an old kernel mode debugger extension, it’s effectively just doing:
dps nt!KiServiceTable lpoi(nt!KiServiceLimit)
Nothing overly clever or exciting (also not at all correct for 64bit
Windows).
for function pointers for all calls, but they are just pointers, how does
the OSR extension fetch the names is what makes me curious…
Look at IDebugSymbols::GetNameByOffset
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Bedanto” wrote in message news:xxxxx@ntdev…
>What OSR extension is this?
it is called osrexts.dll, load it and run !osrexts.sst
ooh so they use dbghelp.dll, i thought they did it programatically…
so don, was my assumption correct abtdff os versions having different
ordinals for the same functioN?
On Mon, Nov 23, 2009 at 8:26 PM, Don Burn wrote:
What OSR extension is this? They don’t list a debug extension that I know
of in the downloads. As far as how things work, you have a lot of data
with the PDB files (even the limited ones Microsoft provides us), and you
have access to ntdll.dll which if disassembled can give you the offsets.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Bedanto” wrote in message news:xxxxx@ntdev…
> >What exactly is the motive?
>
> learning is the motive. When we debug into the kernel, we see a
> placeholder
> for function pointers for all calls, but they are just pointers, how does
> the OSR extension fetch the names is what makes me curious…
>
>>do you mean that the placement of SSDT can change from os to os.
> i think even the order of the functions can change from os to os? so in
> one
> os is ordinal 0x12 is (say) NtCreatefile it is not guaranteed that in
> another version/service pack 0x12 will still remain as NtCreateFile, is
> that
> correct??
>
>
>
>
>
> On Mon, Nov 23, 2009 at 8:21 PM, wrote:
>
>> >>can anyone tell me the logic?
>>
>> What exactly is the motive?
>>
>> >>if i know correctly this ssdt is os dependent and might change from os
>> >>to
>> os.
>>
>> SSDT simplay can be treated as a table of function pointer, where none of
>> the function is exported.
>>
>> do you mean that the placement of SSDT can change from os to os.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4630 (20091123)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature
database 4630 (20091123)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer