Hi, all…
now I’m developing Registry hooking driver.
it based on REGMON source code.
it’s a kind of simple clone registry system.
for example, key create request comes, create it another registry path.
when I use ZwCreateKey() in HookRegCreateKey() function,
it causes re-entering problem.
and RealRegCreate() function works not properly.
(C00000005 - ACCESS_VILOATION returns)
following is my code sippet.
NTSTATUS
HookRegCreateKey()
{
.
.
// stat = RealRegCreateKey(OTHER_PATH); // it returns C00000005, sometimes
works properly
// stat = ZwCreateKey(OTHER_PATH); // it works well. but re-entering
problem
return stat;
}
How can I solve this problem?
Thanks in advance.
Terra.
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hello terra,
ZwXXXX functions do not perform parameter validations on the stack
variables if previous mode is kernel. This might be the cause of your
problem. You are most likely passing a clobbered pointer to the routine.
-----Original Message-----
From: xxxxx@softonnet.com [mailto:xxxxx@softonnet.com]
Sent: Thursday, July 26, 2001 2:29 PM
To: NT Developers Interest List
Subject: [ntdev] help needed. registry problem.
Hi, all…
now I’m developing Registry hooking driver.
it based on REGMON source code.
it’s a kind of simple clone registry system.
for example, key create request comes, create it another registry path.
when I use ZwCreateKey() in HookRegCreateKey() function,
it causes re-entering problem.
and RealRegCreate() function works not properly.
(C00000005 - ACCESS_VILOATION returns)
following is my code sippet.
NTSTATUS
HookRegCreateKey()
{
.
.
// stat = RealRegCreateKey(OTHER_PATH); // it returns C00000005,
sometimes
works properly
// stat = ZwCreateKey(OTHER_PATH); // it works well. but
re-entering
problem
return stat;
}
How can I solve this problem?
Thanks in advance.
Terra.
You are currently subscribed to ntdev as: xxxxx@greenborder.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hello,
It seems that you are passing kernel mode addresses
(upper 2GB) when you chain on the call. As Asit
pointed out, ZwCreateKey works, because, calling
ZwCreateKey again triggers INT 2E and this is
triggered while you are already in kernel mode. In
this case kernel does not perform any parameter
validation and accepts any upper 2GB parameters.
It is very risky if you do not validate parameters
before calling ZwCreateKey. You will effectively open
up a security hole in this case.
Now, let me explain why calling RealRegCreate() does
not work. The reason is, you are probably modifying
some of the pointer parameters with kernel mode
addresses (upper 2GB). Now, since the original INT 2Eh
call is made from user mode, the system service
implementation (RealRegCreate) performs validation on
the parameters passed. And in your case, RealRegCreate
finds that kernel mode parameters are passed from user
mode and hence fails the call with C0000005 error.
To solve this issue, make sure that only user mode
pointer parameters are passed (below 2GB) to
RealRegCreate. If you need to allocate any memory for
modifying some parameters, allocate it from user space
using ZwAllocateVirtualMemory function.
Hope this helps.
-Prasad
— Asit Kharshikar wrote:
> Hello terra,
>
> ZwXXXX functions do not perform parameter
> validations on the stack
> variables if previous mode is kernel. This might be
> the cause of your
> problem. You are most likely passing a clobbered
> pointer to the routine.
>
> - asit
>
> -----Original Message-----
> From: xxxxx@softonnet.com
> [mailto:xxxxx@softonnet.com]
> Sent: Thursday, July 26, 2001 2:29 PM
> To: NT Developers Interest List
> Subject: [ntdev] help needed. registry problem.
>
>
>
>
> Hi, all…
>
> now I’m developing Registry hooking driver.
> it based on REGMON source code.
>
> it’s a kind of simple clone registry system.
> for example, key create request comes, create it
> another registry path.
>
> when I use ZwCreateKey() in HookRegCreateKey()
> function,
> it causes re-entering problem.
> and RealRegCreate() function works not properly.
> (C00000005 - ACCESS_VILOATION returns)
>
>
> following is my code sippet.
>
-------------------------------------------------------------
> NTSTATUS
> HookRegCreateKey()
> {
> .
> .
> // stat = RealRegCreateKey(OTHER_PATH); // it
> returns C00000005,
> sometimes
> works properly
> // stat = ZwCreateKey(OTHER_PATH); // it works
> well. but
> re-entering
> problem
> return stat;
> }
>
>
-------------------------------------------------------------
>
> How can I solve this problem?
> Thanks in advance.
>
> Terra.
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@greenborder.com
> To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
=====
Prasad S. Dabak
Chief Software Architect
Ensim India Private Limited
http://www.ensim.com
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com