Hello Dan,
Friday, December 24, 2004, 2:11:35 PM, you wrote:
i what to trace back the call stack.
so i need esp and ebp.
at the end it should run as an kind of stack protection
DP> Hooking is bad , bad , bad. Most likely you would be able to solve your
DP> problem in another , safer , documented way.
every solution is welcome
best regards,stefan
DP> Hooking is bad , bad , bad. Most likely you would be able to solve your
DP> problem in another , safer , documented way.
DP> Yes, it is possible to get the user mode CPU context of the calling thread.
DP> But what do you want to accomplish ?
DP> Dan
DP> ----- Original Message -----
DP> From: âSellmer Stefanâ
DP> To: âWindows System Software Devs Interest Listâ
DP> Sent: Friday, December 24, 2004 3:03 PM
DP> Subject: [ntdev] hooking and getting caller context
>> Hello ntdev,
>>
>> Iâm new to this list, and driver development.
>>
>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>> But is it now possible to get the thread context of the user-mode
>> program, which called ZwCreateFile.
>>
>>
>> this is a copy from ZwCreateFile.ntdll
>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>> 7C90EB8D |. 0F34 SYSENTER
>> 7C90EB8F |. 90 NOP
>> 7C90EB90 |. 90 NOP
>> 7C90EB91 |. 90 NOP
>> 7C90EB92 |. 90 NOP
>> 7C90EB93 |. 90 NOP
>> 7C90EB94 >$ C3 RETN
>>
>> is it possible to get exactly all registers before SYSENTER get called
>> ? i.e the thread contextâŚ
>>
>> can anybody please give me a hint??
>>
>> best regards
>>
>>
>> â
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
DP> â
DP> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
â
Best regards,
Sellmer mailto:xxxxx@gmx.net
From various reasons, your aproach in flawed for the purpose of stack
protection.
Dont waste your time.
Dan
----- Original Message -----
From: âSellmer Stefanâ
To: âWindows System Software Devs Interest Listâ
Sent: Friday, December 24, 2004 3:59 PM
Subject: Re[2]: [ntdev] hooking and getting caller context
> Hello Dan,
>
> Friday, December 24, 2004, 2:11:35 PM, you wrote:
>
> i what to trace back the call stack.
> so i need esp and ebp.
>
> at the end it should run as an kind of stack protection
>
> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> your
> DP> problem in another , safer , documented way.
>
> every solution is welcome
>
>
>
> best regards,stefan
>
>
>
>
> DP> Hooking is bad , bad , bad. Most likely you would be able to solve
> your
> DP> problem in another , safer , documented way.
> DP> Yes, it is possible to get the user mode CPU context of the calling
> thread.
> DP> But what do you want to accomplish ?
>
> DP> Dan
>
>
> DP> ----- Original Message -----
> DP> From: âSellmer Stefanâ
> DP> To: âWindows System Software Devs Interest Listâ
> DP> Sent: Friday, December 24, 2004 3:03 PM
> DP> Subject: [ntdev] hooking and getting caller context
>
>
>>> Hello ntdev,
>>>
>>> Iâm new to this list, and driver development.
>>>
>>> i hooked ZwCreateFile in the ServiceDescriptorTable.
>>> But is it now possible to get the thread context of the user-mode
>>> program, which called ZwCreateFile.
>>>
>>>
>>> this is a copy from ZwCreateFile.ntdll
>>> 7C90EB8B >/$ 8BD4 MOV EDX,ESP
>>> 7C90EB8D |. 0F34 SYSENTER
>>> 7C90EB8F |. 90 NOP
>>> 7C90EB90 |. 90 NOP
>>> 7C90EB91 |. 90 NOP
>>> 7C90EB92 |. 90 NOP
>>> 7C90EB93 |. 90 NOP
>>> 7C90EB94 >$ C3 RETN
>>>
>>> is it possible to get exactly all registers before SYSENTER get called
>>> ? i.e the thread contextâŚ
>>>
>>> can anybody please give me a hint??
>>>
>>> best regards
>>>
>>>
>>> â
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> DP> â
> DP> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> DP> You are currently subscribed to ntdev as: xxxxx@gmx.net
> DP> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> â
> Best regards,
> Sellmer mailto:xxxxx@gmx.net
>
>
> â
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com