Hi~who can tell me how can i use Nt* (li NtQuerySystemInformation) directly in ring0.same parameters Zw* work well but Nt* return 0xc0000005 error!
help me please…thanks a lot…
ʹÓÃÏÂÒ»´úµÄ MSN Messenger¡£
http://imagine-msn.com/messenger/launch80/default.aspx?locale=zh-cn&source=wlmailtagline
Hello,
do you know the difference between the Nt and Zw prefixes?
This article explains it:
http://www.osronline.com/article.cfm?article=257
I don’t understand why you want to call the Nt variant from supervisor mode at all.
Just use the Zw variant and the kernel will usually skip the privilege and input validation.
when you directly call NtQuerySystemInformation in ring0, the previous mode
is often user mode,so the ntoskrnl will check your params, if it is a
address pointer ,it must be under 2g, but in your driver, it is larger than
2G. so it will return return 0xc0000005 error.
if you use ZwXXX,it will pass through KiSystemService to actually Ntxxx. so
it’s previous mode must be kernel mode,so there is no input validation.
it is the reason that why you call Zwxxx successful,and fail in Ntxxx in
your driver.
you should call Zwxxx, not call Ntxxx directly in your driver.
danny