hello,
i want to call PspTerminateProcess and ObpFreeObject in my driver,but
there two apis was unexported,how can i call them?
Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Thankfully you cannot, since both of them are internal and require a lot of
careful support. All you will do with these calls are crash the system,
but then all the questions you have asked in the past seem to have that
goal.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“marian shark” wrote in message
news:xxxxx@ntdev…
> hello,
> i want to call PspTerminateProcess and ObpFreeObject in my driver,but
> there two apis was unexported,how can i call them?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it’s FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
thanks,now i have get some windows xp sp2 build version’s address of those two apis,and works well,and now i have no union method to get the address of others windows build version,i do not want to get each build version of the apis address,so i ask this question,if i get the address of those apis,i promise can get the windows work well,who i help me?
There is absolutely no viable reason to get these calls. Calling
PspTerminateProcess will leave junk around and cause serious problems, you
typically should not be terminating a process from a driver, but if you
need to do so ZwTerminateProcess is at least semi-documented. Calling
ObpFreeObject is worse than stupid, if you want to free an object
dereference it if you have a reference and let the OS do the cleanup, if
you do not have a reference dereferencing it or calling ObpFreeObject are
just ways to crash the system.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntdev…
> thanks,now i have get some windows xp sp2 build version’s address of
> those two apis,and works well,and now i have no union method to get the
> address of others windows build version,i do not want to get each build
> version of the apis address,so i ask this question,if i get the address
> of those apis,i promise can get the windows work well,who i help me?
>
>
At least sharkmouse aka marian shark could change his/her email address and
name, just to make this a bit more interesting.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-283619-
xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, April 15, 2007 9:48 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get the kenel address of PspTerminateProcess
and ObpFreeObject?There is absolutely no viable reason to get these calls. Calling
PspTerminateProcess will leave junk around and cause serious problems,
you
typically should not be terminating a process from a driver, but if you
need to do so ZwTerminateProcess is at least semi-documented. Calling
ObpFreeObject is worse than stupid, if you want to free an object
dereference it if you have a reference and let the OS do the cleanup,
if
you do not have a reference dereferencing it or calling ObpFreeObject
are
just ways to crash the system.–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to replywrote in message news:xxxxx@ntdev…
> > thanks,now i have get some windows xp sp2 build version’s address of
> > those two apis,and works well,and now i have no union method to get
> the
> > address of others windows build version,i do not want to get each
> build
> > version of the apis address,so i ask this question,if i get the
> address
> > of those apis,i promise can get the windows work well,who i help me?
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our internal
servers where the stack looked like:
f78cad68 80932cce 8089db40 00000001 8659c020 nt!ObpRemoveObjectRoutine+0xca
f78cad80 8087f925 00000000 00000000 8659c020
nt!ObpProcessRemoveObjectQueue+0x36
f78cadac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
f78caddc 8088d4d2 8087f83a 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
The object being deleted (8089db40) is KiInitialProcess, which is not an
actual object manager object, it’s an EPROCESS structure built into the
kernel.
I wonder if we somehow picked up shark mouse’s virus.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Sunday, April 15, 2007 10:07 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to get the kenel address of PspTerminateProcess and
ObpFreeObject?
At least sharkmouse aka marian shark could change his/her email address and
name, just to make this a bit more interesting.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-283619-
xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, April 15, 2007 9:48 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get the kenel address of
PspTerminateProcess and ObpFreeObject?There is absolutely no viable reason to get these calls. Calling
PspTerminateProcess will leave junk around and cause serious problems,
you typically should not be terminating a process from a driver, but
if you
need to do so ZwTerminateProcess is at least semi-documented. Calling
ObpFreeObject is worse than stupid, if you want to free an object
dereference it if you have a reference and let the OS do the cleanup,
if you do not have a reference dereferencing it or calling
ObpFreeObject are
just ways to crash the system.–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to replywrote in message news:xxxxx@ntdev…
> > thanks,now i have get some windows xp sp2 build version’s address of
> > those two apis,and works well,and now i have no union method to get
> the
> > address of others windows build version,i do not want to get each
> build
> > version of the apis address,so i ask this question,if i get the
> address
> > of those apis,i promise can get the windows work well,who i help me?
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
“object” (8089db40) is object’s body, i.e. real object address is
(8089db40-0x18) for XP SP2
what does “!object 0x8089DB28” say now?
Petr Kurtin
“Dan Kyler” wrote in message news:xxxxx@ntdev…
>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>internal
> servers where the stack looked like:
>
> f78cad68 80932cce 8089db40 00000001 8659c020
> nt!ObpRemoveObjectRoutine+0xca
> f78cad80 8087f925 00000000 00000000 8659c020
> nt!ObpProcessRemoveObjectQueue+0x36
> f78cadac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
> f78caddc 8088d4d2 8087f83a 00000000 00000000
> nt!PspSystemThreadStartup+0x2e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> The object being deleted (8089db40) is KiInitialProcess, which is not an
> actual object manager object, it’s an EPROCESS structure built into the
> kernel.
>
> I wonder if we somehow picked up shark mouse’s virus.
>
> - Dan.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> Sent: Sunday, April 15, 2007 10:07 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to get the kenel address of PspTerminateProcess
> and
> ObpFreeObject?
>
>
> At least sharkmouse aka marian shark could change his/her email address
> and
> name, just to make this a bit more interesting.
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>> Sent: Sunday, April 15, 2007 9:48 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
>> PspTerminateProcess and ObpFreeObject?
>>
>> There is absolutely no viable reason to get these calls. Calling
>> PspTerminateProcess will leave junk around and cause serious problems,
>> you typically should not be terminating a process from a driver, but
>> if you
>> need to do so ZwTerminateProcess is at least semi-documented. Calling
>> ObpFreeObject is worse than stupid, if you want to free an object
>> dereference it if you have a reference and let the OS do the cleanup,
>> if you do not have a reference dereferencing it or calling
>> ObpFreeObject are
>> just ways to crash the system.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>> wrote in message news:xxxxx@ntdev…
>> > thanks,now i have get some windows xp sp2 build version’s address of
>> > those two apis,and works well,and now i have no union method to get
>> the
>> > address of others windows build version,i do not want to get each
>> build
>> > version of the apis address,so i ask this question,if i get the
>> address
>> > of those apis,i promise can get the windows work well,who i help me?
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
The object header is all zeroes.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
Sent: Tuesday, April 17, 2007 2:56 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get the kenel address of PspTerminateProcess and
ObpFreeObject?
“object” (8089db40) is object’s body, i.e. real object address is
(8089db40-0x18) for XP SP2
what does “!object 0x8089DB28” say now?
Petr Kurtin
“Dan Kyler” wrote in message news:xxxxx@ntdev…
>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>internal
> servers where the stack looked like:
>
> f78cad68 80932cce 8089db40 00000001 8659c020
> nt!ObpRemoveObjectRoutine+0xca
> f78cad80 8087f925 00000000 00000000 8659c020
> nt!ObpProcessRemoveObjectQueue+0x36
> f78cadac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
> f78caddc 8088d4d2 8087f83a 00000000 00000000
> nt!PspSystemThreadStartup+0x2e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> The object being deleted (8089db40) is KiInitialProcess, which is not
> an actual object manager object, it’s an EPROCESS structure built into
> the kernel.
>
> I wonder if we somehow picked up shark mouse’s virus.
>
> - Dan.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> Sent: Sunday, April 15, 2007 10:07 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to get the kenel address of
> PspTerminateProcess
> and
> ObpFreeObject?
>
>
> At least sharkmouse aka marian shark could change his/her email
> address
> and
> name, just to make this a bit more interesting.
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>> Sent: Sunday, April 15, 2007 9:48 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
>> PspTerminateProcess and ObpFreeObject?
>>
>> There is absolutely no viable reason to get these calls. Calling
>> PspTerminateProcess will leave junk around and cause serious
>> problems, you typically should not be terminating a process from a
>> driver, but if you
>> need to do so ZwTerminateProcess is at least semi-documented. Calling
>> ObpFreeObject is worse than stupid, if you want to free an object
>> dereference it if you have a reference and let the OS do the cleanup,
>> if you do not have a reference dereferencing it or calling
>> ObpFreeObject are just ways to crash the system.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>> wrote in message news:xxxxx@ntdev…
>> > thanks,now i have get some windows xp sp2 build version’s address
>> > of those two apis,and works well,and now i have no union method to
>> > get
>> the
>> > address of others windows build version,i do not want to get each
>> build
>> > version of the apis address,so i ask this question,if i get the
>> address
>> > of those apis,i promise can get the windows work well,who i help
>> > me?
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Is this (Shark Marian) the same one who makes unreasonably silly posts
on Channel 9 about conspiracies involving BitLocker? If so, for someone
who purports to be paranoid, this dude desperately needs to work on his
“cover,” as presently it consists of making a spectacle of himself.
mm
>> xxxxx@privtek.com 2007-04-17 09:14 >>>
The object header is all zeroes.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
Sent: Tuesday, April 17, 2007 2:56 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get the kenel address of PspTerminateProcess
and
ObpFreeObject?
“object” (8089db40) is object’s body, i.e. real object address is
(8089db40-0x18) for XP SP2
what does “!object 0x8089DB28” say now?
Petr Kurtin
“Dan Kyler” wrote in message news:xxxxx@ntdev…
>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>internal
> servers where the stack looked like:
>
> f78cad68 80932cce 8089db40 00000001 8659c020
> nt!ObpRemoveObjectRoutine+0xca
> f78cad80 8087f925 00000000 00000000 8659c020
> nt!ObpProcessRemoveObjectQueue+0x36
> f78cadac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
> f78caddc 8088d4d2 8087f83a 00000000 00000000
> nt!PspSystemThreadStartup+0x2e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> The object being deleted (8089db40) is KiInitialProcess, which is not
> an actual object manager object, it’s an EPROCESS structure built
into
> the kernel.
>
> I wonder if we somehow picked up shark mouse’s virus.
>
> - Dan.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> Sent: Sunday, April 15, 2007 10:07 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to get the kenel address of
> PspTerminateProcess
> and
> ObpFreeObject?
>
>
> At least sharkmouse aka marian shark could change his/her email
> address
> and
> name, just to make this a bit more interesting.
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>> Sent: Sunday, April 15, 2007 9:48 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
>> PspTerminateProcess and ObpFreeObject?
>>
>> There is absolutely no viable reason to get these calls. Calling
>> PspTerminateProcess will leave junk around and cause serious
>> problems, you typically should not be terminating a process from a
>> driver, but if you
>> need to do so ZwTerminateProcess is at least semi-documented.
Calling
>> ObpFreeObject is worse than stupid, if you want to free an object
>> dereference it if you have a reference and let the OS do the
cleanup,
>> if you do not have a reference dereferencing it or calling
>> ObpFreeObject are just ways to crash the system.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>> wrote in message news:xxxxx@ntdev…
>> > thanks,now i have get some windows xp sp2 build version’s address
>> > of those two apis,and works well,and now i have no union method to
>> > get
>> the
>> > address of others windows build version,i do not want to get each
>> build
>> > version of the apis address,so i ask this question,if i get the
>> address
>> > of those apis,i promise can get the windows work well,who i help
>> > me?
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Martin,
I don’t look at Channel 9, but I am assuming he is the same “Shark”
who in the past has on this forum asked:
Most of those have one purpose in my mind - MALWARE.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> Is this (Shark Marian) the same one who makes unreasonably silly posts
> on Channel 9 about conspiracies involving BitLocker? If so, for someone
> who purports to be paranoid, this dude desperately needs to work on his
> “cover,” as presently it consists of making a spectacle of himself.
>
> mm
>
>>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
> The object header is all zeroes.
>
> - Dan.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
> Sent: Tuesday, April 17, 2007 2:56 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] How to get the kenel address of PspTerminateProcess
> and
> ObpFreeObject?
>
>
> “object” (8089db40) is object’s body, i.e. real object address is
> (8089db40-0x18) for XP SP2
> what does “!object 0x8089DB28” say now?
>
> Petr Kurtin
>
> “Dan Kyler” wrote in message news:xxxxx@ntdev…
>>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>>internal
>> servers where the stack looked like:
>>
>> f78cad68 80932cce 8089db40 00000001 8659c020
>> nt!ObpRemoveObjectRoutine+0xca
>> f78cad80 8087f925 00000000 00000000 8659c020
>> nt!ObpProcessRemoveObjectQueue+0x36
>> f78cadac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
>> f78caddc 8088d4d2 8087f83a 00000000 00000000
>> nt!PspSystemThreadStartup+0x2e
>> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>>
>> The object being deleted (8089db40) is KiInitialProcess, which is not
>
>> an actual object manager object, it’s an EPROCESS structure built
> into
>> the kernel.
>>
>> I wonder if we somehow picked up shark mouse’s virus.
>>
>> - Dan.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>> Sent: Sunday, April 15, 2007 10:07 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] How to get the kenel address of
>> PspTerminateProcess
>> and
>> ObpFreeObject?
>>
>>
>> At least sharkmouse aka marian shark could change his/her email
>> address
>> and
>> name, just to make this a bit more interesting.
>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>>> Sent: Sunday, April 15, 2007 9:48 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re:[ntdev] How to get the kenel address of
>>> PspTerminateProcess and ObpFreeObject?
>>>
>>> There is absolutely no viable reason to get these calls. Calling
>>> PspTerminateProcess will leave junk around and cause serious
>>> problems, you typically should not be terminating a process from a
>>> driver, but if you
>>> need to do so ZwTerminateProcess is at least semi-documented.
> Calling
>>> ObpFreeObject is worse than stupid, if you want to free an object
>>> dereference it if you have a reference and let the OS do the
> cleanup,
>>> if you do not have a reference dereferencing it or calling
>>> ObpFreeObject are just ways to crash the system.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Website: http://www.windrvr.com
>>> Blog: http://msmvps.com/blogs/WinDrvr
>>> Remove StopSpam to reply
>>>
>>> wrote in message news:xxxxx@ntdev…
>>> > thanks,now i have get some windows xp sp2 build version’s address
>
>>> > of those two apis,and works well,and now i have no union method to
>
>>> > get
>>> the
>>> > address of others windows build version,i do not want to get each
>>> build
>>> > version of the apis address,so i ask this question,if i get the
>>> address
>>> > of those apis,i promise can get the windows work well,who i help
>>> > me?
>>> >
>>> >
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Don:
Thanks. I only looked at Channel 9 once, but I have to wonder if it is
the same guy. I would have to call his question one of if not the most
blatantly transparent posts I’ve ever seen on this list, although (1) is
pretty nice. (3) is just sort of frightening. If you find yourself
bored one day, and are amused by the occasional conspiracy theory as I
am from time to time, search Channel 9 for “Shark_M AND BitLocker.”
Just ridiculous.
mm
>> xxxxx@acm.org 2007-04-17 10:08 >>>
Martin,
I don’t look at Channel 9, but I am assuming he is the same
“Shark”
who in the past has on this forum asked:
Most of those have one purpose in my mind - MALWARE.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> Is this (Shark Marian) the same one who makes unreasonably silly
posts
> on Channel 9 about conspiracies involving BitLocker? If so, for
someone
> who purports to be paranoid, this dude desperately needs to work on
his
> “cover,” as presently it consists of making a spectacle of himself.
>
> mm
>
>>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
> The object header is all zeroes.
>
> - Dan.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
> Sent: Tuesday, April 17, 2007 2:56 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] How to get the kenel address of
PspTerminateProcess
> and
> ObpFreeObject?
>
>
> “object” (8089db40) is object’s body, i.e. real object address is
> (8089db40-0x18) for XP SP2
> what does “!object 0x8089DB28” say now?
>
> Petr Kurtin
>
> “Dan Kyler” wrote in message
news:xxxxx@ntdev…
>>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>>internal
>> servers where the stack looked like:
>>
>> f78cad68 80932cce 8089db40 00000001 8659c020
>> nt!ObpRemoveObjectRoutine+0xca
>> f78cad80 8087f925 00000000 00000000 8659c020
>> nt!ObpProcessRemoveObjectQueue+0x36
>> f78cadac 80948bb2 00000000 00000000 00000000
nt!ExpWorkerThread+0xeb
>> f78caddc 8088d4d2 8087f83a 00000000 00000000
>> nt!PspSystemThreadStartup+0x2e
>> 00000000 00000000 00000000 00000000 00000000
nt!KiThreadStartup+0x16
>>
>> The object being deleted (8089db40) is KiInitialProcess, which is
not
>
>> an actual object manager object, it’s an EPROCESS structure built
> into
>> the kernel.
>>
>> I wonder if we somehow picked up shark mouse’s virus.
>>
>> - Dan.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>> Sent: Sunday, April 15, 2007 10:07 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] How to get the kenel address of
>> PspTerminateProcess
>> and
>> ObpFreeObject?
>>
>>
>> At least sharkmouse aka marian shark could change his/her email
>> address
>> and
>> name, just to make this a bit more interesting.
>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>>> Sent: Sunday, April 15, 2007 9:48 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re:[ntdev] How to get the kenel address of
>>> PspTerminateProcess and ObpFreeObject?
>>>
>>> There is absolutely no viable reason to get these calls. Calling
>>> PspTerminateProcess will leave junk around and cause serious
>>> problems, you typically should not be terminating a process from a
>>> driver, but if you
>>> need to do so ZwTerminateProcess is at least semi-documented.
> Calling
>>> ObpFreeObject is worse than stupid, if you want to free an object
>>> dereference it if you have a reference and let the OS do the
> cleanup,
>>> if you do not have a reference dereferencing it or calling
>>> ObpFreeObject are just ways to crash the system.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Website: http://www.windrvr.com
>>> Blog: http://msmvps.com/blogs/WinDrvr
>>> Remove StopSpam to reply
>>>
>>> wrote in message news:xxxxx@ntdev…
>>> > thanks,now i have get some windows xp sp2 build version’s
address
>
>>> > of those two apis,and works well,and now i have no union method
to
>
>>> > get
>>> the
>>> > address of others windows build version,i do not want to get
each
>>> build
>>> > version of the apis address,so i ask this question,if i get the
>>> address
>>> > of those apis,i promise can get the windows work well,who i help
>>> > me?
>>> >
>>> >
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I have the problem of Channel 9 that since there is no easy way to search
for data the one time I looked a while later I got a question in the area
of the Channel 9 presentation and beat my head against the wal trying to
find the answer again. I wrote a blog posting on Channel 9
http://msmvps.com/blogs/windrvr/archive/2007/03/01/tuning-channel-9.aspx
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> Don:
>
> Thanks. I only looked at Channel 9 once, but I have to wonder if it is
> the same guy. I would have to call his question one of if not the most
> blatantly transparent posts I’ve ever seen on this list, although (1) is
> pretty nice. (3) is just sort of frightening. If you find yourself
> bored one day, and are amused by the occasional conspiracy theory as I
> am from time to time, search Channel 9 for “Shark_M AND BitLocker.”
> Just ridiculous.
>
> mm
>
>
>
>>>> xxxxx@acm.org 2007-04-17 10:08 >>>
> Martin,
>
> I don’t look at Channel 9, but I am assuming he is the same
> “Shark”
> who in the past has on this forum asked:
>
> 1. How to disable F8 “safe mode boot”
> 2. How to prevent a disk being formatted (something about once
> his
> software was on a system never lettting it be destroyed)
> 3. Why hooking the PNP calls were crashing his machine (and I do
> mean
> hook)?
> 4. How to hook IoCallDriver so he could reject calls even if he
> was
> not a filter in the stack?
> 5. How to create a program or service that could not be
> terminated?
>
> Most of those have one purpose in my mind - MALWARE.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> “Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
>> Is this (Shark Marian) the same one who makes unreasonably silly
> posts
>> on Channel 9 about conspiracies involving BitLocker? If so, for
> someone
>> who purports to be paranoid, this dude desperately needs to work on
> his
>> “cover,” as presently it consists of making a spectacle of himself.
>>
>> mm
>>
>>>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
>> The object header is all zeroes.
>>
>> - Dan.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
>> Sent: Tuesday, April 17, 2007 2:56 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
> PspTerminateProcess
>> and
>> ObpFreeObject?
>>
>>
>> “object” (8089db40) is object’s body, i.e. real object address is
>> (8089db40-0x18) for XP SP2
>> what does “!object 0x8089DB28” say now?
>>
>> Petr Kurtin
>>
>> “Dan Kyler” wrote in message
> news:xxxxx@ntdev…
>>>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>>>internal
>>> servers where the stack looked like:
>>>
>>> f78cad68 80932cce 8089db40 00000001 8659c020
>>> nt!ObpRemoveObjectRoutine+0xca
>>> f78cad80 8087f925 00000000 00000000 8659c020
>>> nt!ObpProcessRemoveObjectQueue+0x36
>>> f78cadac 80948bb2 00000000 00000000 00000000
> nt!ExpWorkerThread+0xeb
>>> f78caddc 8088d4d2 8087f83a 00000000 00000000
>>> nt!PspSystemThreadStartup+0x2e
>>> 00000000 00000000 00000000 00000000 00000000
> nt!KiThreadStartup+0x16
>>>
>>> The object being deleted (8089db40) is KiInitialProcess, which is
> not
>>
>>> an actual object manager object, it’s an EPROCESS structure built
>> into
>>> the kernel.
>>>
>>> I wonder if we somehow picked up shark mouse’s virus.
>>>
>>> - Dan.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>>> Sent: Sunday, April 15, 2007 10:07 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: RE: [ntdev] How to get the kenel address of
>>> PspTerminateProcess
>>> and
>>> ObpFreeObject?
>>>
>>>
>>> At least sharkmouse aka marian shark could change his/her email
>>> address
>>> and
>>> name, just to make this a bit more interesting.
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>>>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>>>> Sent: Sunday, April 15, 2007 9:48 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re:[ntdev] How to get the kenel address of
>>>> PspTerminateProcess and ObpFreeObject?
>>>>
>>>> There is absolutely no viable reason to get these calls. Calling
>>>> PspTerminateProcess will leave junk around and cause serious
>>>> problems, you typically should not be terminating a process from a
>>>> driver, but if you
>>>> need to do so ZwTerminateProcess is at least semi-documented.
>> Calling
>>>> ObpFreeObject is worse than stupid, if you want to free an object
>>>> dereference it if you have a reference and let the OS do the
>> cleanup,
>>>> if you do not have a reference dereferencing it or calling
>>>> ObpFreeObject are just ways to crash the system.
>>>>
>>>>
>>>> –
>>>> Don Burn (MVP, Windows DDK)
>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>> Website: http://www.windrvr.com
>>>> Blog: http://msmvps.com/blogs/WinDrvr
>>>> Remove StopSpam to reply
>>>>
>>>> wrote in message news:xxxxx@ntdev…
>>>> > thanks,now i have get some windows xp sp2 build version’s
> address
>>
>>>> > of those two apis,and works well,and now i have no union method
> to
>>
>>>> > get
>>>> the
>>>> > address of others windows build version,i do not want to get
> each
>>>> build
>>>> > version of the apis address,so i ask this question,if i get the
>>>> address
>>>> > of those apis,i promise can get the windows work well,who i help
>>>> > me?
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Yeah, I don’t use it either. I just found myself there one time after
googling for something that I don’t recall. In any case, something like
five of the most recent posts were by a certain “Shark_M,” and the
subjects were along the lines of BitLocker being part of a government
conspiracy, … The usual stuff and probably only thing that
self-absorbed people take away from Schneier’s superb book. I just read
your post. I would certainly agree with your point about lack of an
index. I can’t say that I knew who Rob Short was, so I read the little
blurb, and it sounds very interesting. As I’m having a little trouble
getting going this morning, I think I’ll watch it, assuming it is still
there.
Thanks,
mm
>> xxxxx@acm.org 2007-04-17 10:27 >>>
I have the problem of Channel 9 that since there is no easy way to
search
for data the one time I looked a while later I got a question in the
area
of the Channel 9 presentation and beat my head against the wal trying
to
find the answer again. I wrote a blog posting on Channel 9
http://msmvps.com/blogs/windrvr/archive/2007/03/01/tuning-channel-9.aspx
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> Don:
>
> Thanks. I only looked at Channel 9 once, but I have to wonder if it
is
> the same guy. I would have to call his question one of if not the
most
> blatantly transparent posts I’ve ever seen on this list, although (1)
is
> pretty nice. (3) is just sort of frightening. If you find yourself
> bored one day, and are amused by the occasional conspiracy theory as
I
> am from time to time, search Channel 9 for “Shark_M AND BitLocker.”
> Just ridiculous.
>
> mm
>
>
>
>>>> xxxxx@acm.org 2007-04-17 10:08 >>>
> Martin,
>
> I don’t look at Channel 9, but I am assuming he is the same
> “Shark”
> who in the past has on this forum asked:
>
> 1. How to disable F8 “safe mode boot”
> 2. How to prevent a disk being formatted (something about once
> his
> software was on a system never lettting it be destroyed)
> 3. Why hooking the PNP calls were crashing his machine (and I
do
> mean
> hook)?
> 4. How to hook IoCallDriver so he could reject calls even if
he
> was
> not a filter in the stack?
> 5. How to create a program or service that could not be
> terminated?
>
> Most of those have one purpose in my mind - MALWARE.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> “Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
>> Is this (Shark Marian) the same one who makes unreasonably silly
> posts
>> on Channel 9 about conspiracies involving BitLocker? If so, for
> someone
>> who purports to be paranoid, this dude desperately needs to work on
> his
>> “cover,” as presently it consists of making a spectacle of himself.
>>
>> mm
>>
>>>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
>> The object header is all zeroes.
>>
>> - Dan.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
>> Sent: Tuesday, April 17, 2007 2:56 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] How to get the kenel address of
> PspTerminateProcess
>> and
>> ObpFreeObject?
>>
>>
>> “object” (8089db40) is object’s body, i.e. real object address is
>> (8089db40-0x18) for XP SP2
>> what does “!object 0x8089DB28” say now?
>>
>> Petr Kurtin
>>
>> “Dan Kyler” wrote in message
> news:xxxxx@ntdev…
>>>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
>>>internal
>>> servers where the stack looked like:
>>>
>>> f78cad68 80932cce 8089db40 00000001 8659c020
>>> nt!ObpRemoveObjectRoutine+0xca
>>> f78cad80 8087f925 00000000 00000000 8659c020
>>> nt!ObpProcessRemoveObjectQueue+0x36
>>> f78cadac 80948bb2 00000000 00000000 00000000
> nt!ExpWorkerThread+0xeb
>>> f78caddc 8088d4d2 8087f83a 00000000 00000000
>>> nt!PspSystemThreadStartup+0x2e
>>> 00000000 00000000 00000000 00000000 00000000
> nt!KiThreadStartup+0x16
>>>
>>> The object being deleted (8089db40) is KiInitialProcess, which is
> not
>>
>>> an actual object manager object, it’s an EPROCESS structure built
>> into
>>> the kernel.
>>>
>>> I wonder if we somehow picked up shark mouse’s virus.
>>>
>>> - Dan.
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>>> Sent: Sunday, April 15, 2007 10:07 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: RE: [ntdev] How to get the kenel address of
>>> PspTerminateProcess
>>> and
>>> ObpFreeObject?
>>>
>>>
>>> At least sharkmouse aka marian shark could change his/her email
>>> address
>>> and
>>> name, just to make this a bit more interesting.
>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
>>>> xxxxx@lists.osr.com] On Behalf Of Don Burn
>>>> Sent: Sunday, April 15, 2007 9:48 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re:[ntdev] How to get the kenel address of
>>>> PspTerminateProcess and ObpFreeObject?
>>>>
>>>> There is absolutely no viable reason to get these calls. Calling
>>>> PspTerminateProcess will leave junk around and cause serious
>>>> problems, you typically should not be terminating a process from
a
>>>> driver, but if you
>>>> need to do so ZwTerminateProcess is at least semi-documented.
>> Calling
>>>> ObpFreeObject is worse than stupid, if you want to free an object
>>>> dereference it if you have a reference and let the OS do the
>> cleanup,
>>>> if you do not have a reference dereferencing it or calling
>>>> ObpFreeObject are just ways to crash the system.
>>>>
>>>>
>>>> –
>>>> Don Burn (MVP, Windows DDK)
>>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>>> Website: http://www.windrvr.com
>>>> Blog: http://msmvps.com/blogs/WinDrvr
>>>> Remove StopSpam to reply
>>>>
>>>> wrote in message news:xxxxx@ntdev…
>>>> > thanks,now i have get some windows xp sp2 build version’s
> address
>>
>>>> > of those two apis,and works well,and now i have no union method
> to
>>
>>>> > get
>>>> the
>>>> > address of others windows build version,i do not want to get
> each
>>>> build
>>>> > version of the apis address,so i ask this question,if i get the
>>>> address
>>>> > of those apis,i promise can get the windows work well,who i
help
>>>> > me?
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> Is this (Shark Marian) the same one who makes unreasonably silly posts
on Channel 9 about conspiracies involving BitLocker? If so, for someone
who purports to be paranoid, this dude desperately needs to work on his
“cover,” as presently it consists of making a spectacle of himself.
Actually, I found only one thread with his posts (https://channel9.msdn.com/Showpost.aspx?postid=214558), and, to be honest, I did not notice anything either “unreasonably silly” or “paranoid” in them. In fact, the only reason why I would ignore his posts is just because he says something that must be obvious to any more or less reasonable person anyway, so that there is no that much to discuss here…
Governments don’t even deny that they want to be able to learn anyone’s private secrets if they decide that they want to - after all, the *OFFICIAL* restrictions on sale of encryption products to individuals can be found practically in any country in this or that form. It is understandable that, apart from the official rules, governments may unofficially “advise” the companies that operate in their countries to do things this or that way. Once companies that provide encryption software, apparently, think of the governement agencies as of their “best customers”, it would be at least naive to expect them to ignore government’ s “advice” . The story with Chinese dissidents is the additional proof to the fact that MSFT is more than willing to comply with requests of a government of any country it operates in, and, to be honest, I don’t see anything particularly wrong with such attitudes, at least from the business perspective - after all, losing a lucrative market solely “on the moral grounds” is not very businesslike approach, no matter how repulsive it sounds…
In other words, I don’t know how you managed to see any “conspiracy theory” here - everything is so plainly obvious that it does not even need to be discussed.
Certainly, if you think that BitLocker provides an encryption scheme that cannot be broken in a matter of minutes by “authorized” person… well, then keep on thinking this way - what else can
I say in such case…
Anton Bassov
Yes. My point was that everyone knows this, so it seems awfully silly
to me make a big deal about it.
>> xxxxx@hotmail.com 2007-04-17 12:30 >>>
Is this (Shark Marian) the same one who makes unreasonably silly
posts
on Channel 9 about conspiracies involving BitLocker? If so, for
someone
who purports to be paranoid, this dude desperately needs to work on
his
“cover,” as presently it consists of making a spectacle of himself.
Actually, I found only one thread with his posts
(https://channel9.msdn.com/Showpost.aspx?postid=214558), and, to be
honest, I did not notice anything either “unreasonably silly” or
“paranoid” in them. In fact, the only reason why I would ignore his
posts is just because he says something that must be obvious to any more
or less reasonable person anyway, so that there is no that much to
discuss here…
Governments don’t even deny that they want to be able to learn anyone’s
private secrets if they decide that they want to - after all, the
*OFFICIAL* restrictions on sale of encryption products to individuals
can be found practically in any country in this or that form. It is
understandable that, apart from the official rules, governments may
unofficially “advise” the companies that operate in their countries to
do things this or that way. Once companies that provide encryption
software, apparently, think of the governement agencies as of their
“best customers”, it would be at least naive to expect them to ignore
government’ s “advice” . The story with Chinese dissidents is the
additional proof to the fact that MSFT is more than willing to comply
with requests of a government of any country it operates in, and, to be
honest, I don’t see anything particularly wrong with such attitudes, at
least from the business perspective - after all, losing a lucrative
market solely “on the moral grounds” is not very businesslike approach,
no matter how repulsive it sounds…
In other words, I don’t know how you managed to see any “conspiracy
theory” here - everything is so plainly obvious that it does not even
need to be discussed.
Certainly, if you think that BitLocker provides an encryption scheme
that cannot be broken in a matter of minutes by “authorized” person…
well, then keep on thinking this way - what else can
I say in such case…
Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
They are unlikely the same shark based on the way they wrote.
Calvin Guan
Broadcom Corporation
Connecting Everything(r)
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-283789-
xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Tuesday, April 17, 2007 7:22 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to get the kenel address of
PspTerminateProcess
and ObpFreeObject?Don:
Thanks. I only looked at Channel 9 once, but I have to wonder if it
is
the same guy. I would have to call his question one of if not the
most
blatantly transparent posts I’ve ever seen on this list, although (1)
is
pretty nice. (3) is just sort of frightening. If you find yourself
bored one day, and are amused by the occasional conspiracy theory as I
am from time to time, search Channel 9 for “Shark_M AND BitLocker.”
Just ridiculous.mm
>>> xxxxx@acm.org 2007-04-17 10:08 >>>
Martin,I don’t look at Channel 9, but I am assuming he is the same
“Shark”
who in the past has on this forum asked:
- How to disable F8 “safe mode boot”
- How to prevent a disk being formatted (something about once
his
software was on a system never lettting it be destroyed)- Why hooking the PNP calls were crashing his machine (and I do
mean
hook)?- How to hook IoCallDriver so he could reject calls even if he
was
not a filter in the stack?- How to create a program or service that could not be
terminated?Most of those have one purpose in my mind - MALWARE.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply“Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
> > Is this (Shark Marian) the same one who makes unreasonably silly
> posts
> > on Channel 9 about conspiracies involving BitLocker? If so, for
> someone
> > who purports to be paranoid, this dude desperately needs to work on
> his
> > “cover,” as presently it consists of making a spectacle of himself.
> >
> > mm
> >
> >>>> xxxxx@privtek.com 2007-04-17 09:14 >>>
> > The object header is all zeroes.
> >
> > - Dan.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
> > Sent: Tuesday, April 17, 2007 2:56 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] How to get the kenel address of
> PspTerminateProcess
> > and
> > ObpFreeObject?
> >
> >
> > “object” (8089db40) is object’s body, i.e. real object address is
> > (8089db40-0x18) for XP SP2
> > what does “!object 0x8089DB28” say now?
> >
> > Petr Kurtin
> >
> > “Dan Kyler” wrote in message
> news:xxxxx@ntdev…
> >>I recently analyzed a crash dump (0x7e, 0xc0000005) from one of our
> >>internal
> >> servers where the stack looked like:
> >>
> >> f78cad68 80932cce 8089db40 00000001 8659c020
> >> nt!ObpRemoveObjectRoutine+0xca
> >> f78cad80 8087f925 00000000 00000000 8659c020
> >> nt!ObpProcessRemoveObjectQueue+0x36
> >> f78cadac 80948bb2 00000000 00000000 00000000
> nt!ExpWorkerThread+0xeb
> >> f78caddc 8088d4d2 8087f83a 00000000 00000000
> >> nt!PspSystemThreadStartup+0x2e
> >> 00000000 00000000 00000000 00000000 00000000
> nt!KiThreadStartup+0x16
> >>
> >> The object being deleted (8089db40) is KiInitialProcess, which is
> not
> >
> >> an actual object manager object, it’s an EPROCESS structure built
> > into
> >> the kernel.
> >>
> >> I wonder if we somehow picked up shark mouse’s virus.
> >>
> >> - Dan.
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> >> Sent: Sunday, April 15, 2007 10:07 AM
> >> To: Windows System Software Devs Interest List
> >> Subject: RE: [ntdev] How to get the kenel address of
> >> PspTerminateProcess
> >> and
> >> ObpFreeObject?
> >>
> >>
> >> At least sharkmouse aka marian shark could change his/her email
> >> address
> >> and
> >> name, just to make this a bit more interesting.
> >>
> >>> -----Original Message-----
> >>> From: xxxxx@lists.osr.com [mailto:bounce-283619-
> >>> xxxxx@lists.osr.com] On Behalf Of Don Burn
> >>> Sent: Sunday, April 15, 2007 9:48 AM
> >>> To: Windows System Software Devs Interest List
> >>> Subject: Re:[ntdev] How to get the kenel address of
> >>> PspTerminateProcess and ObpFreeObject?
> >>>
> >>> There is absolutely no viable reason to get these calls. Calling
> >>> PspTerminateProcess will leave junk around and cause serious
> >>> problems, you typically should not be terminating a process from a
> >>> driver, but if you
> >>> need to do so ZwTerminateProcess is at least semi-documented.
> > Calling
> >>> ObpFreeObject is worse than stupid, if you want to free an object
> >>> dereference it if you have a reference and let the OS do the
> > cleanup,
> >>> if you do not have a reference dereferencing it or calling
> >>> ObpFreeObject are just ways to crash the system.
> >>>
> >>>
> >>> –
> >>> Don Burn (MVP, Windows DDK)
> >>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >>> Website: http://www.windrvr.com
> >>> Blog: http://msmvps.com/blogs/WinDrvr
> >>> Remove StopSpam to reply
> >>>
> >>> wrote in message news:xxxxx@ntdev…
> >>> > thanks,now i have get some windows xp sp2 build version’s
> address
> >
> >>> > of those two apis,and works well,and now i have no union method
> to
> >
> >>> > get
> >>> the
> >>> > address of others windows build version,i do not want to get
> each
> >>> build
> >>> > version of the apis address,so i ask this question,if i get the
> >>> address
> >>> > of those apis,i promise can get the windows work well,who i help
> >>> > me?
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >>> —
> >>> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> To unsubscribe, visit the List Server section of OSR Online at
> >>> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer