Hello all
to OSR people:
the irptracker is a good tool, but why it doesn’t work on win2k?
it is impossible to hook IofCallDriver & IofCompleteRequest on
this system?
please clarify me this issue …
Best regards
Ivona Prenosilova
–
Vyhraj Ford Fiesta s klimatizac? a dal?? ceny!
V?ce na http://soutez.volny.cz
It’s definitely not impossible, but the method that we use on XP and
Server 2003 does not work on Win2K. Because of this and other reasons, we
decided to specifically target only XP and later systems.
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntdev…
Hello all
to OSR people:
the irptracker is a good tool, but why it doesn’t work on win2k?
it is impossible to hook IofCallDriver & IofCompleteRequest on
this system?
please clarify me this issue …
Best regards
Ivona Prenosilova
–
Vyhraj Ford Fiesta s klimatizací a dal¹í ceny!
Více na http://soutez.volny.cz
Hello Scott,
Monday, September 22, 2003, 3:00:40 PM, you wrote:
SN> It’s definitely not impossible, but the method that we use on XP and
SN> Server 2003 does not work on Win2K.
on win2k it is jmp dword ptr [xxxx] doesn’t differ so much from mov
eax, dword ptr [xxxx] i think (so this path could be used).
anyway
SN> Because of this and other reasons, we
SN> decided to specifically target only XP and later systems.
i don’t want to be impatient, but please could you (if it is
possible) specify the other reasons? because i don’t see any
incompatability issues in hooking those two functions and then logging
irps going through. personally i don’t need verifier support if that’s
the problem. but i would like to have a win2k version of this. so if
i’m going to write one, i would like to know about these reasons to be
able to possible circumvent them - if it is not possible then to know
no to waste my time …
–
Best regards,
Ivona Prenosilova
Ivona,
You don’t get what Scott is saying, with WinXP and Win2k3 there are new
mechanisms
to do this without the patch hack, these are not there for Win2k.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Cc: “Scott Noone”
Sent: Tuesday, September 23, 2003 9:20 AM
Subject: [ntdev] Re: IrpTracker
> Hello Scott,
>
> Monday, September 22, 2003, 3:00:40 PM, you wrote:
>
>
> SN> It’s definitely not impossible, but the method that we use on XP
and
> SN> Server 2003 does not work on Win2K.
> on win2k it is jmp dword ptr [xxxx] doesn’t differ so much from mov
> eax, dword ptr [xxxx] i think (so this path could be used).
> anyway
>
> SN> Because of this and other reasons, we
> SN> decided to specifically target only XP and later systems.
> i don’t want to be impatient, but please could you (if it is
> possible) specify the other reasons? because i don’t see any
> incompatability issues in hooking those two functions and then logging
> irps going through. personally i don’t need verifier support if that’s
> the problem. but i would like to have a win2k version of this. so if
> i’m going to write one, i would like to know about these reasons to be
> able to possible circumvent them - if it is not possible then to know
> no to waste my time …
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Hello Don,
Tuesday, September 23, 2003, 3:37:32 PM, you wrote:
DB> Ivona,
DB> You don’t get what Scott is saying, with WinXP and Win2k3 there are new
DB> mechanisms
DB> to do this without the patch hack, these are not there for Win2k.
please don’t answer things you don’t have any idea about. the patch is
there - in the code - so what are those new mechanism winxp and win2k3
are using instead of patching (that are not present on the win2k),
when irptracker uses patching and is for winxp and win2k3 only ?
–
Best regards,
Ivona Prenosilova
There’s nothing built into the OS that let’s us to this in a “nice”
way - we had to do some patching. Of course this patching is completely and
entirely OS specific and requires a LOT of special case code to handle
different versions. Looking at one of the Win2k SP’s it looks like it would
work, but I remember there being a build that it would not work in and
remember that the hooks are only the first problem to solve.
Anytime you go down this road of completely undocumented and OS specific
things you rush right into a maintainability nightmare, which is another one
of the major reasons for no Win2k support. Add Driver Verifier (or in one
case even the checked build!) and things get really hairy really quick.
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“ivona prenosilova” wrote in message news:xxxxx@ntdev…
>
> Hello Don,
>
> Tuesday, September 23, 2003, 3:37:32 PM, you wrote:
>
> DB> Ivona,
>
> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
are new
> DB> mechanisms
> DB> to do this without the patch hack, these are not there for Win2k.
> please don’t answer things you don’t have any idea about. the patch is
> there - in the code - so what are those new mechanism winxp and win2k3
> are using instead of patching (that are not present on the win2k),
> when irptracker uses patching and is for winxp and win2k3 only ?
>
> –
> Best regards,
> Ivona Prenosilova
>
>
>
Ivona, Im sorry, but you dont get it right, and Don’s response was
pertinent. If you are really interested how that util is built, take a look
in it with a system debugger. Youll find interesting things.
----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 23, 2003 4:58 PM
Subject: [ntdev] Re: IrpTracker
> Hello Don,
>
> Tuesday, September 23, 2003, 3:37:32 PM, you wrote:
>
> DB> Ivona,
>
> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
are new
> DB> mechanisms
> DB> to do this without the patch hack, these are not there for Win2k.
> please don’t answer things you don’t have any idea about. the patch is
> there - in the code - so what are those new mechanism winxp and win2k3
> are using instead of patching (that are not present on the win2k),
> when irptracker uses patching and is for winxp and win2k3 only ?
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
To Scott:
There’s nothing built into the OS that let’s us to this in a “nice”
way - we had to do some patching. Of course this patching is completely and
entirely OS specific and requires a LOT of special case code to handle
different versions. Looking at one of the Win2k SP’s it looks like it would
work, but I remember there being a build that it would not work in and
remember that the hooks are only the first problem to solve.
Anytime you go down this road of completely undocumented and OS specific
things you rush right into a maintainability nightmare, which is another one
of the major reasons for no Win2k support. Add Driver Verifier (or in one
case even the checked build!) and things get really hairy really quick.
ok i now see the point. thanks for answering.
Hello Dan,
Tuesday, September 23, 2003, 4:23:28 PM, you wrote:
> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
DP> are new
> DB> mechanisms
> DB> to do this without the patch hack, these are not there for Win2k.
please read this sentence once again. if i can read well (and i don’t
have to, because my native language is not english) then the following
statement is there:
irptracker doesn’t work on win2k because it uses undocumented features
present only on (winxp and win2k3)+ that allow it to hook these two
functions without patching.
i am saying, that the “patch hack” is there, well if you call patching
changing address IofCallDriver and IofCompleteRequest are jumping to
(indirectly, using variable - which gets changed).
this i call patching, and this can be done at least on version of
win2k i’m currently running. Scott suggested, that there are builds
of win2k without this, and i do trust him, and think that that is a good
argument to not support win2k. the maintainability would really be a
nightmare. but since i want to do a one purpose tool for my
development machine, then this is irrelevant in my case.
DP> Ivona, Im sorry, but you dont get it right, and Don’s response was
DP> pertinent.
well because of that above, i don’t think don’s response was
pertinent.
DP> If you are really interested how that util is built, take a look
DP> in it with a system debugger. Youll find interesting things.
i did my homework, i can assure you 
if you’re not seeing patching
you’re probably running driver verifier with which it uses also per
driver import changing (afaik).
–
Best regards,
Ivona Prenosilova
Hi, Ivona,
You can try our WDMSniffer program, it’s a free download from the Compuware
web site at
http://frontline.compuware.com/nashua/patches/utility.htm
Hope this helps !
Alberto.
-----Original Message-----
From: ivona prenosilova [mailto:xxxxx@post.cz]
Sent: Tuesday, September 23, 2003 10:53 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: IrpTracker
To Scott:
There’s nothing built into the OS that let’s us to this in a “nice”
way - we had to do some patching. Of course this patching is completely and
entirely OS specific and requires a LOT of special case code to handle
different versions. Looking at one of the Win2k SP’s it looks like it would
work, but I remember there being a build that it would not work in and
remember that the hooks are only the first problem to solve.
Anytime you go down this road of completely undocumented and OS
specific
things you rush right into a maintainability nightmare, which is another
one
of the major reasons for no Win2k support. Add Driver Verifier (or in one
case even the checked build!) and things get really hairy really quick.
ok i now see the point. thanks for answering.
Hello Dan,
Tuesday, September 23, 2003, 4:23:28 PM, you wrote:
> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
DP> are new
> DB> mechanisms
> DB> to do this without the patch hack, these are not there for Win2k.
please read this sentence once again. if i can read well (and i don’t
have to, because my native language is not english) then the following
statement is there:
irptracker doesn’t work on win2k because it uses undocumented features
present only on (winxp and win2k3)+ that allow it to hook these two
functions without patching.
i am saying, that the “patch hack” is there, well if you call patching
changing address IofCallDriver and IofCompleteRequest are jumping to
(indirectly, using variable - which gets changed).
this i call patching, and this can be done at least on version of
win2k i’m currently running. Scott suggested, that there are builds
of win2k without this, and i do trust him, and think that that is a good
argument to not support win2k. the maintainability would really be a
nightmare. but since i want to do a one purpose tool for my
development machine, then this is irrelevant in my case.
DP> Ivona, Im sorry, but you dont get it right, and Don’s response was
DP> pertinent.
well because of that above, i don’t think don’s response was
pertinent.
DP> If you are really interested how that util is built, take a look
DP> in it with a system debugger. Youll find interesting things.
i did my homework, i can assure you if you’re not seeing patching
you’re probably running driver verifier with which it uses also per
driver import changing (afaik).
–
Best regards,
Ivona Prenosilova
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
>> but since i want to do a one purpose tool for my
> development machine, then this is irrelevant in my case.
Ya, your right it can be done.
http://www.ntkernel.com/utilities/devfilter.shtml
See if this dont needs your expectations, is pretty cheap to have a
registered version. It supports all Windows builds up to date, IIRC.
Dan
----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 23, 2003 5:52 PM
Subject: [ntdev] Re: IrpTracker
> To Scott:
>
> > There’s nothing built into the OS that let’s us to this in a “nice”
> >way - we had to do some patching. Of course this patching is completely
and
> >entirely OS specific and requires a LOT of special case code to handle
> >different versions. Looking at one of the Win2k SP’s it looks like it
would
> >work, but I remember there being a build that it would not work in and
> >remember that the hooks are only the first problem to solve.
>
> > Anytime you go down this road of completely undocumented and OS
specific
> >things you rush right into a maintainability nightmare, which is another
one
> >of the major reasons for no Win2k support. Add Driver Verifier (or in one
> >case even the checked build!) and things get really hairy really quick.
>
> ok i now see the point. thanks for answering.
>
>
> Hello Dan,
>
> Tuesday, September 23, 2003, 4:23:28 PM, you wrote:
>
> >> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
> DP> are new
> >> DB> mechanisms
> >> DB> to do this without the patch hack, these are not there for Win2k.
> please read this sentence once again. if i can read well (and i don’t
> have to, because my native language is not english) then the following
> statement is there:
>
> irptracker doesn’t work on win2k because it uses undocumented features
> present only on (winxp and win2k3)+ that allow it to hook these two
> functions without patching.
>
> i am saying, that the “patch hack” is there, well if you call patching
> changing address IofCallDriver and IofCompleteRequest are jumping to
> (indirectly, using variable - which gets changed).
>
> this i call patching, and this can be done at least on version of
> win2k i’m currently running. Scott suggested, that there are builds
> of win2k without this, and i do trust him, and think that that is a good
> argument to not support win2k. the maintainability would really be a
> nightmare. but since i want to do a one purpose tool for my
> development machine, then this is irrelevant in my case.
>
> DP> Ivona, Im sorry, but you dont get it right, and Don’s response was
> DP> pertinent.
> well because of that above, i don’t think don’s response was
> pertinent.
>
> DP> If you are really interested how that util is built, take a look
> DP> in it with a system debugger. Youll find interesting things.
> i did my homework, i can assure you if you’re not seeing patching
> you’re probably running driver verifier with which it uses also per
> driver import changing (afaik).
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Ivona,
> i did my homework, i can assure you
Guess it was time to get this replica from someone 
Dan
----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 23, 2003 5:52 PM
Subject: [ntdev] Re: IrpTracker
> To Scott:
>
> > There’s nothing built into the OS that let’s us to this in a “nice”
> >way - we had to do some patching. Of course this patching is completely
and
> >entirely OS specific and requires a LOT of special case code to handle
> >different versions. Looking at one of the Win2k SP’s it looks like it
would
> >work, but I remember there being a build that it would not work in and
> >remember that the hooks are only the first problem to solve.
>
> > Anytime you go down this road of completely undocumented and OS
specific
> >things you rush right into a maintainability nightmare, which is another
one
> >of the major reasons for no Win2k support. Add Driver Verifier (or in one
> >case even the checked build!) and things get really hairy really quick.
>
> ok i now see the point. thanks for answering.
>
>
> Hello Dan,
>
> Tuesday, September 23, 2003, 4:23:28 PM, you wrote:
>
> >> DB> You don’t get what Scott is saying, with WinXP and Win2k3 there
> DP> are new
> >> DB> mechanisms
> >> DB> to do this without the patch hack, these are not there for Win2k.
> please read this sentence once again. if i can read well (and i don’t
> have to, because my native language is not english) then the following
> statement is there:
>
> irptracker doesn’t work on win2k because it uses undocumented features
> present only on (winxp and win2k3)+ that allow it to hook these two
> functions without patching.
>
> i am saying, that the “patch hack” is there, well if you call patching
> changing address IofCallDriver and IofCompleteRequest are jumping to
> (indirectly, using variable - which gets changed).
>
> this i call patching, and this can be done at least on version of
> win2k i’m currently running. Scott suggested, that there are builds
> of win2k without this, and i do trust him, and think that that is a good
> argument to not support win2k. the maintainability would really be a
> nightmare. but since i want to do a one purpose tool for my
> development machine, then this is irrelevant in my case.
>
> DP> Ivona, Im sorry, but you dont get it right, and Don’s response was
> DP> pertinent.
> well because of that above, i don’t think don’s response was
> pertinent.
>
> DP> If you are really interested how that util is built, take a look
> DP> in it with a system debugger. Youll find interesting things.
> i did my homework, i can assure you if you’re not seeing patching
> you’re probably running driver verifier with which it uses also per
> driver import changing (afaik).
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>