Hi,
I’m trying to build a Win32k profiler for GDI/User win32k system service calls - currently working with XP.
I’ve managed to write a driver which captures KeServiceDescriptorTableShadow and hooks into the NtUserCreateWindowEx function. I’ve been studying the values and I can’t understand something. The x and y values passed to this function sometimes have values such as 1565657, -2314354,etc I don’t understand how to interpret these values…are they part of some coordinate system…is this code error somehow??
Any tips on understanding the win32k and the system calls therein would be appreciated.
Bye for now
Incredibly long story short: lookup SSDT thread, and take a day off to read
it.
I intentionally post it because I knew it would cause a lot of fuss, and
interesting reaction. I see these annoying SSDT topics razing all over the
place.
Of course you don’t understand what they mean, and no one except MS Software
Engineers/OS Designers know. Type a search query in MS website for
“NtUserCreateWindowEx” . You will only maximum see debug traces of this
function being called at some point. This is not documented stuff.
Not documented => not safe to use. Not safe to use => you’re driver might
crash unexpectedly (BSOD). BSOD for no documented reason => useless work.
The MS engineers even announced that they will in the future issue BugChecks
for preventing SSDT hooking. How will you prevail that ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@bom3.vsnl.net.in
Sent: Tuesday, September 23, 2008 5:51 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hooking (and understanding) win32k system calls
Hi,
I’m trying to build a Win32k profiler for GDI/User win32k system service
calls - currently working with XP.
I’ve managed to write a driver which captures KeServiceDescriptorTableShadow
and hooks into the NtUserCreateWindowEx function. I’ve been studying the
values and I can’t understand something. The x and y values passed to this
function sometimes have values such as 1565657, -2314354,etc I don’t
understand how to interpret these values…are they part of some coordinate
system…is this code error somehow??
Any tips on understanding the win32k and the system calls therein would be
appreciated.
Bye for now
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NtUserCreateWindowEx does not have the (exactly) same prototype as CreateWindowEx, and the prototypes for the win32k system calls are not generally publicly well documented (that I have seen). Perhaps your reverse engineered prototype for it is not correct?
-----Original Message-----
From: xxxxx@bom3.vsnl.net.in
Sent: Tuesday, September 23, 2008 09:52
To: Windows System Software Devs Interest List
Subject: [ntdev] Hooking (and understanding) win32k system calls
Hi,
I’m trying to build a Win32k profiler for GDI/User win32k system service calls - currently working with XP.
I’ve managed to write a driver which captures KeServiceDescriptorTableShadow and hooks into the NtUserCreateWindowEx function. I’ve been studying the values and I can’t understand something. The x and y values passed to this function sometimes have values such as 1565657, -2314354,etc I don’t understand how to interpret these values…are they part of some coordinate system…is this code error somehow??
Any tips on understanding the win32k and the system calls therein would be appreciated.
Bye for now
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> and the prototypes for the win32k system calls are not generally publicly well documented
(that I have seen)
AFAIK, the only place where you can find some information about win32k.sys’s internals is Feng Yuan’s site (and his book “Windows graphics programming”, of course). Everything you find there is the result of his own research…
Anton Bassov