Ntxxx/Zwxxx monitor

Hi
Is there any program which monitors all Ntxxx/Zwxxx routines?
TIA

Bi Cờ Lao

----- Original Message -----
From: “pclouds”
To: “NT Developers Interest List”
Sent: Thursday, January 09, 2003 4:58 AM
Subject: [ntdev] Ntxxx/Zwxxx monitor

Hi
Is there any program which monitors all Ntxxx/Zwxxx routines?
TIA

Not that I know of, I did one once for a commercial product, there is a
bunch of
subtle things you have to watch out for, including some calls can not handle
having
an extra stack frame between user mode and kernel!

Don Burn
Egenera, Inc.

Hello,

Actually, trap those calls isn’t as difficult as you may guess. The services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx are callables from user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and with the help of NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in Intel’s I386 architecture documentation. Once user mode code executes that service, a processor mode change is issued and kernel mode code receives only two parameters:

EAX = Service code indicating the requested operation (for example, NtCreateFile is 0x20)
EDX = Pointer to user mode stack (i.e user mode ESP)

At the kernel, there is a table called KeServiceDescriptor table in which the systems looks for the “n-th” entry and jumpt to that address.

If you need more information, there are several books which deal with this subjects.

Regards,

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: jueves, 09 de enero de 2003 12:06
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

----- Original Message -----
From: “pclouds”
To: “NT Developers Interest List”
Sent: Thursday, January 09, 2003 4:58 AM
Subject: [ntdev] Ntxxx/Zwxxx monitor

Hi
Is there any program which monitors all Ntxxx/Zwxxx routines?
TIA

Not that I know of, I did one once for a commercial product, there is a
bunch of
subtle things you have to watch out for, including some calls can not handle
having
an extra stack frame between user mode and kernel!

Don Burn
Egenera, Inc.


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

José Vicente Sánchez Ortega wrote:

> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
> EDX = Pointer to user mode stack (i.e user mode ESP)

> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc

I don’t know the version of the OS you are refering to but I’m filtering those calls and I have no problems in NT/2K/XP. Which services do you say that crash the system? Can you use an example?

Thanks.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 0:39
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

José Vicente Sánchez Ortega wrote:

> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
> EDX = Pointer to user mode stack (i.e user mode ESP)

> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I filtered ZwCreateSection, and it crashed (Win2k). I used Regmon driver
at www.sysinternals.com. The hook function does nothing than call the real
function. Could you give me your driver, please? I’m quite new to system
programming…

Thanks

On Sun, Jan 12, 2003 at 01:32:38PM +0100, JosÃẹ Vicente SÃắnchez Ortega wrote:

I don’t know the version of the OS you are refering to but I’m filtering those calls and I have no problems in NT/2K/XP. Which services do you say that crash the system? Can you use an example?

Thanks.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 0:39
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

José Vicente Sánchez Ortega wrote:

>> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
>> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
>> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

>> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
>> EDX = Pointer to user mode stack (i.e user mode ESP)

>> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@users.sourceforge.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Bi Cờ Lao

I cannot give you my driver, it was developed for a company on contract.
Checking the code, ZwCreateSection didn’t take anything special to hook
so I would check that you have the correct call number by disassembling
the user space ZwCreateSection call to check the number and the args.

Don Burn
Egenera, Inc

----- Original Message -----
From: “pclouds”
To: “NT Developers Interest List”
Sent: Sunday, January 12, 2003 8:14 AM
Subject: [ntdev] Re: Ntxxx/Zwxxx monitor

I filtered ZwCreateSection, and it crashed (Win2k). I used Regmon driver
at www.sysinternals.com. The hook function does nothing than call the real
function. Could you give me your driver, please? I’m quite new to system
programming…

Thanks

On Sun, Jan 12, 2003 at 01:32:38PM +0100, JosÃẹ Vicente SÃắnchez Ortega
wrote:
>
> I don’t know the version of the OS you are refering to but I’m filtering
those calls and I have no problems in NT/2K/XP. Which services do you say
that crash the system? Can you use an example?
>
> Thanks.
>
>
> Jose Vicente.
>
>
>
> -----Mensaje original-----
> De: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]En nombre de Don Burn
> Enviado el: domingo, 12 de enero de 2003 0:39
> Para: NT Developers Interest List
> Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor
>
>
> José Vicente Sánchez Ortega wrote:
>
> >> Actually, trap those calls isn’t as difficult as you may guess. The
> services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
> user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS)
and
> with the help of
> >> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
> Intel’s I386 architecture documentation. Once user
> >> mode code executes that service, a processor mode change is issued and
> kernel mode code receives only two parameters:
>
> >> EAX = Service code indicating the requested operation (for example,
> NtCreateFile is 0x20)
> >> EDX = Pointer to user mode stack (i.e user mode ESP)
>
> >> At the kernel, there is a table called KeServiceDescriptor table in
which
> the systems looks for the “n-th” entry and jumpt to >> that address.
>
>
> Sorry, the above is not correct anymore, on most systems the calls are now
> through SYSENTER. Secondly, the table in the kernel is now protected.
> Also, as I stated in my previous post, not all of them can be just
“trapped
> ala regmon” since this will cause them to crash the kernel.
>
> Don Burn
> Egenera, Inc
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@secuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@users.sourceforge.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Bi Cờ Lao


You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

I you are beyond a Pentium II the calls are different, several of the thread
and process
calls require special handling to work correctly.

Don Burn
Egenera, Inc

----- Original Message -----
From: “José Vicente Sánchez Ortega”
To: “NT Developers Interest List”
Sent: Sunday, January 12, 2003 7:32 AM
Subject: [ntdev] Re: Ntxxx/Zwxxx monitor

I don’t know the version of the OS you are refering to but I’m filtering
those calls and I have no problems in NT/2K/XP. Which services do you say
that crash the system? Can you use an example?

Thanks.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 0:39
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

José Vicente Sánchez Ortega wrote:

>> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
>> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
>> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

>> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
>> EDX = Pointer to user mode stack (i.e user mode ESP)

>> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

I have tested my code on Pentium IV and AMD K7 and I have no problems. My driver has been developed for a comercial product too and it’s working fine in several customers. I’m filtering specifically NtCreateSection because I’m doing some processing when a new process is created and I have not experienced problems with it in W2K SP3 neither WXP SP1.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 15:50
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

I you are beyond a Pentium II the calls are different, several of the thread
and process
calls require special handling to work correctly.

Don Burn
Egenera, Inc

----- Original Message -----
From: “José Vicente Sánchez Ortega”
To: “NT Developers Interest List”
Sent: Sunday, January 12, 2003 7:32 AM
Subject: [ntdev] Re: Ntxxx/Zwxxx monitor

I don’t know the version of the OS you are refering to but I’m filtering
those calls and I have no problems in NT/2K/XP. Which services do you say
that crash the system? Can you use an example?

Thanks.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 0:39
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

José Vicente Sánchez Ortega wrote:

>> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
>> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
>> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

>> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
>> EDX = Pointer to user mode stack (i.e user mode ESP)

>> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m using a mechanism slightly differente from that used un Regmon. My driver is a comercial product and I can’t give you much more help in this issue (sorry).

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de pclouds
Enviado el: domingo, 12 de enero de 2003 14:15
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

I filtered ZwCreateSection, and it crashed (Win2k). I used Regmon driver
at www.sysinternals.com. The hook function does nothing than call the real
function. Could you give me your driver, please? I’m quite new to system
programming…

Thanks

On Sun, Jan 12, 2003 at 01:32:38PM +0100, JosÃẹ Vicente SÃắnchez Ortega wrote:

I don’t know the version of the OS you are refering to but I’m filtering those calls and I have no problems in NT/2K/XP. Which services do you say that crash the system? Can you use an example?

Thanks.

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Don Burn
Enviado el: domingo, 12 de enero de 2003 0:39
Para: NT Developers Interest List
Asunto: [ntdev] Re: Ntxxx/Zwxxx monitor

José Vicente Sánchez Ortega wrote:

>> Actually, trap those calls isn’t as difficult as you may guess. The
services exported by NTOSKRNL.EXE (like Zwxxx/Ntxxx >> are callables from
user mode through int 2Eh (in a manner similar to old int 21h in MS-DOS) and
with the help of
>> NTDLL.DLL. The int 2Eh is defined as a “interrupt gate” as defined in
Intel’s I386 architecture documentation. Once user
>> mode code executes that service, a processor mode change is issued and
kernel mode code receives only two parameters:

>> EAX = Service code indicating the requested operation (for example,
NtCreateFile is 0x20)
>> EDX = Pointer to user mode stack (i.e user mode ESP)

>> At the kernel, there is a table called KeServiceDescriptor table in which
the systems looks for the “n-th” entry and jumpt to >> that address.

Sorry, the above is not correct anymore, on most systems the calls are now
through SYSENTER. Secondly, the table in the kernel is now protected.
Also, as I stated in my previous post, not all of them can be just “trapped
ala regmon” since this will cause them to crash the kernel.

Don Burn
Egenera, Inc


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@users.sourceforge.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Bi Cờ Lao


You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com