Help regarding win32k.sys driver.

I break into system and do “!drivers”. I see the following line for
win32k.sys

a0000000 0 ( 0 k) 0 ( 0 k) win32k.sys
unavailable.

Why is the win32k.sys driver paged out. In this context i was trying to
access Win32 service table which i retreived from
KeServiceDescriptorTableShadow. This causes BSOD.

If i put a breakpoint on say ZwReadFile and press windows key or any key,
the system breaks in the context of csrss.exe and win32k.sys and the service
table is accessible at this point.

Now. Is there any way to force the system, pagein win32k.sys driver? Any
Ideas?

NT Gurus please provide your comments.

Thanks,
Srin.

As a guess I would say you are attempting to do some undocumented magic. I
find no mention of KeServiceDescriptorTable or
KeServiceDescriptorTableShadow in the NT4, XP, or 2000 DDK. I do find it
when I do “dd KeServiceDescriptorTable” within WinDbg.


Gary G. Little
xxxxx@broadstor.com
xxxxx@inland.net

wrote in message news:xxxxx@ntdev…
>
> I break into system and do “!drivers”. I see the following line for
> win32k.sys
>
> a0000000 0 ( 0 k) 0 ( 0 k) win32k.sys
> unavailable.
>
> Why is the win32k.sys driver paged out. In this context i was trying to
> access Win32 service table which i retreived from
> KeServiceDescriptorTableShadow. This causes BSOD.
>
> If i put a breakpoint on say ZwReadFile and press windows key or any key,
> the system breaks in the context of csrss.exe and win32k.sys and the
service
> table is accessible at this point.
>
> Now. Is there any way to force the system, pagein win32k.sys driver? Any
> Ideas?
>
> NT Gurus please provide your comments.
>
> Thanks,
> Srin.
>
>

Yes, trying to patch Win32 Service table from System process context.

-Srin.

-----Original Message-----
From: Gary G. Little [mailto:xxxxx@broadstor.com]
Sent: Wednesday, May 15, 2002 5:34 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Help regarding win32k.sys driver.

As a guess I would say you are attempting to do some undocumented magic. I
find no mention of KeServiceDescriptorTable or
KeServiceDescriptorTableShadow in the NT4, XP, or 2000 DDK. I do find it
when I do “dd KeServiceDescriptorTable” within WinDbg.


Gary G. Little
xxxxx@broadstor.com
xxxxx@inland.net

wrote in message news:xxxxx@ntdev…
>
> I break into system and do “!drivers”. I see the following line for
> win32k.sys
>
> a0000000 0 ( 0 k) 0 ( 0 k) win32k.sys
> unavailable.
>
> Why is the win32k.sys driver paged out. In this context i was trying to
> access Win32 service table which i retreived from
> KeServiceDescriptorTableShadow. This causes BSOD.
>
> If i put a breakpoint on say ZwReadFile and press windows key or any key,
> the system breaks in the context of csrss.exe and win32k.sys and the
service
> table is accessible at this point.
>
> Now. Is there any way to force the system, pagein win32k.sys driver? Any
> Ideas?
>
> NT Gurus please provide your comments.
>
> Thanks,
> Srin.
>
>


You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%

And just why do you want to mess with somethying you ain’t supposed to be
messing with?


Gary G. Little
xxxxx@broadstor.com
xxxxx@inland.net

wrote in message news:xxxxx@ntdev…
>
> Yes, trying to patch Win32 Service table from System process context.
>
> -Srin.
>
> -----Original Message-----
> From: Gary G. Little [mailto:xxxxx@broadstor.com]
> Sent: Wednesday, May 15, 2002 5:34 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Help regarding win32k.sys driver.
>
>
> As a guess I would say you are attempting to do some undocumented magic. I
> find no mention of KeServiceDescriptorTable or
> KeServiceDescriptorTableShadow in the NT4, XP, or 2000 DDK. I do find it
> when I do “dd KeServiceDescriptorTable” within WinDbg.
>
> –
> Gary G. Little
> xxxxx@broadstor.com
> xxxxx@inland.net
>
> wrote in message news:xxxxx@ntdev…
> >
> > I break into system and do “!drivers”. I see the following line for
> > win32k.sys
> >
> > a0000000 0 ( 0 k) 0 ( 0 k) win32k.sys
> > unavailable.
> >
> > Why is the win32k.sys driver paged out. In this context i was trying to
> > access Win32 service table which i retreived from
> > KeServiceDescriptorTableShadow. This causes BSOD.
> >
> > If i put a breakpoint on say ZwReadFile and press windows key or any
key,
> > the system breaks in the context of csrss.exe and win32k.sys and the
> service
> > table is accessible at this point.
> >
> > Now. Is there any way to force the system, pagein win32k.sys driver? Any
> > Ideas?
> >
> > NT Gurus please provide your comments.
> >
> > Thanks,
> > Srin.
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>

Hahahhahahaha,

Gary, with all due respect to you and your contribution in this list, do you try to start another holy war on whats alowed and what is not while coding for NT kernel ? Do you really think that this kind of answer is benefic to anything else then flames and futile discutions ?

Sheet Dan … another JIHAD was not my intention. I had NO idea what the person was attempting. None of my DDK’s talk about a KeServiceDescriptorXxxx-anything, neither is it referenced in any of my texts. The only way that I did find it was using WinDbg to display memory. Asking why was simply an attempt to broaden the scope to prevent a possible bad way of doing things. How many times has a question been posed about directly accessing the BIOS? The typical answer is to write your own HAL — because that is a foolish approach to something that in almost all cases is already provided by the OS, IF it is known what the seeker is seeking.

Directly accessing an undocumented OS structure is NOT for the faint of heart, definitely not for the novice, and very possibly need not be done, given that the list knows what the seeker is truly seeking.

I stand by my response. :slight_smile:


Gary G. Little
xxxxx@broadstor.com
xxxxx@inland.net

“Dan Partelly” wrote in message news:xxxxx@ntdev…
Hahahhahahaha,

Gary, with all due respect to you and your contribution in this list, do you try to start another holy war on whats alowed and what is not while coding for NT kernel ? Do you really think that this kind of answer is benefic to anything else then flames and futile discutions ?

Gary, I certainly stand by you in this one.

Yet I really could not hold myself back … i truly found it funny , youll forgive me. However the original poster should reverse enginneer KeAddSystemServiceTable to see where win32k.sys registers its “system service” table. As for what he will use it (or how) is his problem. Or at least I see it this way.

Reagrds, Dan