Re[2]: hooking and getting caller context

Hello Dan,

Friday, December 24, 2004, 2:11:35 PM, you wrote:

i what to trace back the call stack.
so i need esp and ebp.

at the end it should run as an kind of stack protection

DP> Hooking is bad , bad , bad. Most likely you would be able to solve your
DP> problem in another , safer , documented way.

every solution is welcome :wink:

best regards,stefan

DP> Hooking is bad , bad , bad. Most likely you would be able to solve your
DP> problem in another , safer , documented way.
DP> Yes, it is possible to get the user mode CPU context of the calling thread.
DP> But what do you want to accomplish ?

DP> Dan

DP> ----- Original Message -----
DP> From: “Sellmer Stefan”
DP> To: “Windows System Software Devs Interest List”
DP> Sent: Friday, December 24, 2004 3:03 PM
DP> Subject: [ntdev] hooking and getting caller context

>> Hello ntdev,
>>
>> I’m new to this list, and driver development.
>>
>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>> But is it now possible to get the thread context of the user-mode
>> program, which called ZwCreateFile.
>>
>>
>> this is a copy from ZwCreateFile.ntdll
>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>> 7C90EB8D |. 0F34 SYSENTER
>> 7C90EB8F |. 90 NOP
>> 7C90EB90 |. 90 NOP
>> 7C90EB91 |. 90 NOP
>> 7C90EB92 |. 90 NOP
>> 7C90EB93 |. 90 NOP
>> 7C90EB94 >$ C3 RETN
>>
>> is it possible to get exactly all registers before SYSENTER get called
>> ? i.e the thread context…
>>
>> can anybody please give me a hint??
>>
>> best regards
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com

DP> —
DP> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
DP> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Best regards,
Sellmer mailto:xxxxx@gmx.net

From various reasons, your aproach in flawed for the purpose of stack
protection.
Dont waste your time.

Dan

----- Original Message -----
From: “Sellmer Stefan”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 24, 2004 3:59 PM
Subject: Re[2]: [ntdev] hooking and getting caller context

> Hello Dan,
>
> Friday, December 24, 2004, 2:11:35 PM, you wrote:
>
> i what to trace back the call stack.
> so i need esp and ebp.
>
> at the end it should run as an kind of stack protection
>
> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> your
> DP> problem in another , safer , documented way.
>
> every solution is welcome :wink:
>
>
>
> best regards,stefan
>
>
>
>
> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> your
> DP> problem in another , safer , documented way.
> DP> Yes, it is possible to get the user mode CPU context of the calling
> thread.
> DP> But what do you want to accomplish ?
>
> DP> Dan
>
>
> DP> ----- Original Message -----
> DP> From: “Sellmer Stefan”
> DP> To: “Windows System Software Devs Interest List”
> DP> Sent: Friday, December 24, 2004 3:03 PM
> DP> Subject: [ntdev] hooking and getting caller context
>
>
>>> Hello ntdev,
>>>
>>> I’m new to this list, and driver development.
>>>
>>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>>> But is it now possible to get the thread context of the user-mode
>>> program, which called ZwCreateFile.
>>>
>>>
>>> this is a copy from ZwCreateFile.ntdll
>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>> 7C90EB8D |. 0F34 SYSENTER
>>> 7C90EB8F |. 90 NOP
>>> 7C90EB90 |. 90 NOP
>>> 7C90EB91 |. 90 NOP
>>> 7C90EB92 |. 90 NOP
>>> 7C90EB93 |. 90 NOP
>>> 7C90EB94 >$ C3 RETN
>>>
>>> is it possible to get exactly all registers before SYSENTER get called
>>> ? i.e the thread context…
>>>
>>> can anybody please give me a hint??
>>>
>>> best regards
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> DP> —
> DP> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
> DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> –
> Best regards,
> Sellmer mailto:xxxxx@gmx.net
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com