Hello ntdev,
I’m new to this list, and driver development.
i hooked ZwCreateFile in the ServiceDescriptorTable.
But is it now possible to get the thread context of the user-mode
program, which called ZwCreateFile.
this is a copy from ZwCreateFile.ntdll
7C90EB8B >/$ 8BD4 MOV EDX,ESP
7C90EB8D |. 0F34 SYSENTER
7C90EB8F |. 90 NOP
7C90EB90 |. 90 NOP
7C90EB91 |. 90 NOP
7C90EB92 |. 90 NOP
7C90EB93 |. 90 NOP
7C90EB94 >$ C3 RETN
is it possible to get exactly all registers before SYSENTER get called
? i.e the thread context…
can anybody please give me a hint??
best regards
Hooking is bad , bad , bad. Most likely you would be able to solve your
problem in another , safer , documented way.
Yes, it is possible to get the user mode CPU context of the calling thread.
But what do you want to accomplish ?
Dan
----- Original Message -----
From: “Sellmer Stefan”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 24, 2004 3:03 PM
Subject: [ntdev] hooking and getting caller context
> Hello ntdev,
>
> I’m new to this list, and driver development.
>
> i hooked ZwCreateFile in the ServiceDescriptorTable.
> But is it now possible to get the thread context of the user-mode
> program, which called ZwCreateFile.
>
>
> this is a copy from ZwCreateFile.ntdll
> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
> 7C90EB8D |. 0F34 SYSENTER
> 7C90EB8F |. 90 NOP
> 7C90EB90 |. 90 NOP
> 7C90EB91 |. 90 NOP
> 7C90EB92 |. 90 NOP
> 7C90EB93 |. 90 NOP
> 7C90EB94 >$ C3 RETN
>
> is it possible to get exactly all registers before SYSENTER get called
> ? i.e the thread context…
>
> can anybody please give me a hint??
>
> best regards
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com