Just a side note here, not directly related to the initial point (Ralph’s
note):
In Windows XP, INT 2E is no longer used for handling system calls. Software
using this technique will not function properly in Windows XP. This is the
risk of relying upon such undocumented behavior - it changes from OS release
to OS release version.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: Prasad Dabak [mailto:xxxxx@yahoo.com]
Sent: Wednesday, November 28, 2001 8:49 AM
To: File Systems Developers
Subject: [ntfsd] Re: Monitoring Registry Changes
Hello,
Putting breakpoints on ZwCreateKey and ZwOpenKey will
not work. You need to put breakpoints on NtCreateKey
and NtOpenKey in NTOSKRNL.EXE. In kernel mode, Ntxx is
the actual implementation of system service and Zwxx
is system call wrapper which issues int 2eh.
The user mode applications call system call wrappers
in NTDLL.DLL and system call handler (int 2eh handler)
ends up calling Ntxx function in NTOSKRNL.EXE.
Hope this helps.
-Prasad
— Bartjan Wattel wrote:
> Take a look at
>
http://www.sysinternals.com/ntw2k/source/regmon.shtml
> to see
> how you can monitor registry changes.
>
> –
> Bartjan.
>
> >My partner wrote a small WISE script (WISE is
> similar to InstallShield) to
> >create and modify some registry entries.
> >
> >Regedit indicates that the script is working. I
> can see the keys being
> >created.
> >
> >I use SoftIce to set a breakpoint on ZwCreateKey
> and ZwOpenKey. I don’t see
> >the change.
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
=====
Prasad S. Dabak
Chief Software Architect
Ensim India Private Limited
http://www.ensim.com
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Tony,
I agree with that. However, if applications are
sticking to calling exported Ntxx/Zwxx native API
functions and not embedding direct int 2eh
instructions in their code, I don’t see any risk here.
Underlying implementation could be anything
(SYSENTER/int 2eh)
I have seen very few native APIs whose parameters have
changed from NT 4.0 -> Win 2000 -> Win XP. And even if
they change, Microsoft would also have to re-write
some of their applications. e.g. Resource kit tools
heavily relies on the native API.
Further, there are many things for which there is no
equivalent Win32 API. In this case, people don’t have
any choice but to use native API.
-Prasad
— Tony Mason wrote:
> Just a side note here, not directly related to the
> initial point (Ralph’s
> note):
>
> In Windows XP, INT 2E is no longer used for handling
> system calls. Software
> using this technique will not function properly in
> Windows XP. This is the
> risk of relying upon such undocumented behavior - it
> changes from OS release
> to OS release version.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> -----Original Message-----
> From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> Sent: Wednesday, November 28, 2001 8:49 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Monitoring Registry Changes
>
> Hello,
>
> Putting breakpoints on ZwCreateKey and ZwOpenKey
> will
> not work. You need to put breakpoints on NtCreateKey
> and NtOpenKey in NTOSKRNL.EXE. In kernel mode, Ntxx
> is
> the actual implementation of system service and Zwxx
> is system call wrapper which issues int 2eh.
>
> The user mode applications call system call wrappers
> in NTDLL.DLL and system call handler (int 2eh
> handler)
> ends up calling Ntxx function in NTOSKRNL.EXE.
>
> Hope this helps.
>
> -Prasad
>
>
> — Bartjan Wattel wrote:
> > Take a look at
> >
>
http://www.sysinternals.com/ntw2k/source/regmon.shtml
> > to see
> > how you can monitor registry changes.
> >
> > –
> > Bartjan.
> >
> > >My partner wrote a small WISE script (WISE is
> > similar to InstallShield) to
> > >create and modify some registry entries.
> > >
> > >Regedit indicates that the script is working. I
> > can see the keys being
> > >created.
> > >
> > >I use SoftIce to set a breakpoint on ZwCreateKey
> > and ZwOpenKey. I don’t see
> > >the change.
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> =====
> Prasad S. Dabak
> Chief Software Architect
> Ensim India Private Limited
> http://www.ensim.com
> Co-author of the book “Undocumented Windows NT”
> ISBN 0764545698
>
>
> Do You Yahoo!?
> Yahoo! GeoCities - quick and easy web site hosting,
> just $8.95/month.
> http://geocities.yahoo.com/ps/info1
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@osr.com
> To unsubscribe send a blank email to
> leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> In Windows XP, INT 2E is no longer used for handling system calls
Maybe except Athlons.
IIRC SYSENTER is Intel-only thing.
Max
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com