hooking system service prb

Hi ,
I have hooked NtOpenFile Call.
I just DbgPrint the file name getting opened.
I have observed that when ever an EXE is opened
the NtOpenFile call is called 2wice or 3rice ( it
never goes above 3 times ).
any idea why must this be happening?

– Harshal


Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Might this be because several handles are being opened
on the file because it is a Windows NE executable and
stores resources and other data in the exe itself?

That might explain 2 of the outstanding calls, but I
can’t think of a reason for the third.

As a test, you could try launching a DOS-only
executable and see if only 1 call to NtOpenFile is
made, whereas launching a Windows NE executable may
result in 2 (or 3) calls to NtOpenfile

Kevin

— Rock wrote:
> Hi ,
> I have hooked NtOpenFile Call.
> I just DbgPrint the file name getting opened.
> I have observed that when ever an EXE is opened
> the NtOpenFile call is called 2wice or 3rice ( it
> never goes above 3 times ).
> any idea why must this be happening?
>
> – Harshal
>
>
>
>
> Do You Yahoo!?
> Make international calls for as low as $.04/minute
> with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

=====
Save the whales. Feed the hungry. Free the mallocs


Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com