Re[2]: How To Protect Against "Process Inject"

Hello Dan,

DP> Aproaches to inject code into another process are so varied, and some of them
DP> so obscure , that you will end in a funny cat and mouse game that you can hardly
DP> win whithout seriously impairing the satbility of the OSs on which your code
DP> will run.
the only thing that can seriously impair the stability of the OS is
bad coding skills and lack of testing. your drivers can also seriously
impair stability of the OS so, why you are talking about that? if the
product will be unstable noone will use or buy it. it’s called free
market.

about the approaches … 99% of malware uses the same old techniques
to inject code into other processes, so it is wise to block these and
don’t play catch and mouse with the 1% left. plus, it’s always wise to
instruct the user not to use non-admin accounts, which is sometimes
hard, because some of the Win32 software cannot deal with it.

DP> I assume you guys write another desktop “security” aplication, please dont offer
DP> feature only for marekting sake.
if there is space for another desktop security application, if there
is some not filled feature gap, why not fill it? you can always test
the software, you have beta versions, you have trial versions, you
have software reviews - everyone who wants to test the software can do
it, can test the stability and decide not to use it.


Best regards,
Ivona Prenosilova

Hello Matt,

MM> I believe you when you say there are many ways to inject code. I’m looking
MM> to block the most common approaches(from what I can see, CreateRemoteThread
MM> and WriteProcessMemory seem to be the most common, could be wrong though).
well, the start of this all is (Nt)OpenProcess. anyway, from what i
see, you should probably RTM, get decent books on windows internals,
do some reverse engineering on the functions you’re dealing with, get
some tutorials from the other side (like VX tutorials, vx.netlux.org)

  • if you want to know more about the injecting that is used in current
    malware - and after you do all of this, you’ll probably after all get
    what Dan said.

MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
eh, no way, this is not what you’re looking for … that is NTVDM, not
native subsystem.


Best regards,
Ivona Prenosilova

Thanks Ivona,

I’m sure as everyone can tell, I know very little about this subject. Being
self-taught, there are gapping holes in my knowledge. I appreciate your
feedback, once I get a handle on this I’m sure I’ll be able to run with it
in multiple directions…

Thanks,

Matt
----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 5:44 AM
Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”

> Hello Matt,
>
> MM> I believe you when you say there are many ways to inject code. I’m
> looking
> MM> to block the most common approaches(from what I can see,
> CreateRemoteThread
> MM> and WriteProcessMemory seem to be the most common, could be wrong
> though).
> well, the start of this all is (Nt)OpenProcess. anyway, from what i
> see, you should probably RTM, get decent books on windows internals,
> do some reverse engineering on the functions you’re dealing with, get
> some tutorials from the other side (like VX tutorials, vx.netlux.org)
> - if you want to know more about the injecting that is used in current
> malware - and after you do all of this, you’ll probably after all get
> what Dan said.
>
> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
> eh, no way, this is not what you’re looking for … that is NTVDM, not
> native subsystem.
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

The very demand for such products reminds me on a good old “Core Wars”
computer game. The stability decrease from such things is amazing.

Ideally, the app must be agnostic from any injections by firewalls and such
and work fine with them included.

BTW - Windows Firewall from XP SP2 and later is enhanced ipnat.sys, which
communicates to ipnathlp.dll in user mode in some of the svchost processes. The
communication is IIRC done by Ex callback objects (or is it the communication
between tcpip and ipnat?).

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Matt Martin”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 1:00 PM
Subject: [ntdev] How To Protect Against “Process Inject”

> Hello all,
>
> I need help in finding a way to protect my application from process
> injection like how many firewall applications do.
>
> Several ideas I’ve had were: API hooking or running a loop comparing the
> image size in memory to the disk image size. Would the kernel function
> NtProtectVirtualMemory or the usermode VirtualProtectEX offer any
> protection?
>
> What would be the best approach to this problem?
>
> Thanks in advance,
>
> Matt
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> Would VDDInstallMemoryHook in a Virtual driver work in any way?

This hook only works for DOS and Win16 apps running inside NTVDM.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Probably the easiest to do and hardest to detect way of
injecting code is to frig the PE image itself. All you need is
LordPE and an enterprising mind. And, ah, code is code, however
generated - injected or not - and a good injection is not
necessarily any less stable than its host. In fact, I’ve seen on
occasion injected code do wonders.

It all depends on what code is injected, where, and who’s doing
it. Competent programmers don’t write code that impair OS
stability; injected or not, it makes no difference.

Alberto.

----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”

Sent: Thursday, August 25, 2005 6:39 AM
Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”

> Hello Dan,
>
> DP> Aproaches to inject code into another process are so
> varied, and some of them
> DP> so obscure , that you will end in a funny cat and mouse
> game that you can hardly
> DP> win whithout seriously impairing the satbility of the OSs
> on which your code
> DP> will run.
> the only thing that can seriously impair the stability of the
> OS is
> bad coding skills and lack of testing. your drivers can also
> seriously
> impair stability of the OS so, why you are talking about that?
> if the
> product will be unstable noone will use or buy it. it’s called
> free
> market.
>
> about the approaches … 99% of malware uses the same old
> techniques
> to inject code into other processes, so it is wise to block
> these and
> don’t play catch and mouse with the 1% left. plus, it’s always
> wise to
> instruct the user not to use non-admin accounts, which is
> sometimes
> hard, because some of the Win32 software cannot deal with it.
>
> DP> I assume you guys write another desktop “security”
> aplication, please dont offer
> DP> feature only for marekting sake.
> if there is space for another desktop security application, if
> there
> is some not filled feature gap, why not fill it? you can
> always test
> the software, you have beta versions, you have trial versions,
> you
> have software reviews - everyone who wants to test the
> software can do
> it, can test the stability and decide not to use it.
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

CreateRemoteThread and WriteProcessMemory are most used APIs for this
indeed.
But keep in mind that during a process creation phase both those APIs (at
native level),
are used to create a new process.

Dan

----- Original Message -----
From: “Matt Martin”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 2:02 PM
Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”

> Thanks Ivona,
>
> I’m sure as everyone can tell, I know very little about this subject.
> Being self-taught, there are gapping holes in my knowledge. I appreciate
> your feedback, once I get a handle on this I’m sure I’ll be able to run
> with it in multiple directions…
>
> Thanks,
>
> Matt
> ----- Original Message -----
> From: “ivona prenosilova”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 5:44 AM
> Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
>> Hello Matt,
>>
>> MM> I believe you when you say there are many ways to inject code. I’m
>> looking
>> MM> to block the most common approaches(from what I can see,
>> CreateRemoteThread
>> MM> and WriteProcessMemory seem to be the most common, could be wrong
>> though).
>> well, the start of this all is (Nt)OpenProcess. anyway, from what i
>> see, you should probably RTM, get decent books on windows internals,
>> do some reverse engineering on the functions you’re dealing with, get
>> some tutorials from the other side (like VX tutorials, vx.netlux.org)
>> - if you want to know more about the injecting that is used in current
>> malware - and after you do all of this, you’ll probably after all get
>> what Dan said.
>>
>> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
>> eh, no way, this is not what you’re looking for … that is NTVDM, not
>> native subsystem.
>>
>> –
>> Best regards,
>> Ivona Prenosilova
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> generated - injected or not - and a good injection is not

necessarily any less stable than its host.

Injections obey no rules, so, several injections will nearly inevitably
conflict and produce and interop.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Somebody can hook NtCreateThread and forbid CreateRemoteThread :slight_smile: This can
be a good security product idea :slight_smile:

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 3:54 PM
Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”

> CreateRemoteThread and WriteProcessMemory are most used APIs for this
> indeed.
> But keep in mind that during a process creation phase both those APIs (at
> native level),
> are used to create a new process.
>
>
> Dan
>
> ----- Original Message -----
> From: “Matt Martin”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 2:02 PM
> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
> > Thanks Ivona,
> >
> > I’m sure as everyone can tell, I know very little about this subject.
> > Being self-taught, there are gapping holes in my knowledge. I appreciate
> > your feedback, once I get a handle on this I’m sure I’ll be able to run
> > with it in multiple directions…
> >
> > Thanks,
> >
> > Matt
> > ----- Original Message -----
> > From: “ivona prenosilova”
> > To: “Windows System Software Devs Interest List”
> > Sent: Thursday, August 25, 2005 5:44 AM
> > Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
> >
> >
> >> Hello Matt,
> >>
> >> MM> I believe you when you say there are many ways to inject code. I’m
> >> looking
> >> MM> to block the most common approaches(from what I can see,
> >> CreateRemoteThread
> >> MM> and WriteProcessMemory seem to be the most common, could be wrong
> >> though).
> >> well, the start of this all is (Nt)OpenProcess. anyway, from what i
> >> see, you should probably RTM, get decent books on windows internals,
> >> do some reverse engineering on the functions you’re dealing with, get
> >> some tutorials from the other side (like VX tutorials, vx.netlux.org)
> >> - if you want to know more about the injecting that is used in current
> >> malware - and after you do all of this, you’ll probably after all get
> >> what Dan said.
> >>
> >> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
> >> eh, no way, this is not what you’re looking for … that is NTVDM, not
> >> native subsystem.
> >>
> >> –
> >> Best regards,
> >> Ivona Prenosilova
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@comcast.net
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

How about this,

I know file system filters are very possible, what about memory filters?
Could a filter driver be created to filter memory alloc’s? Perhaps filter
memory alloc’s for known processes or libraries? I’ve been searching threw
the DDK, and I don’t see anything that could ‘shim’ into the memory manager.
Am I missing something, is there an undocumented method, or is it simply not
possible?

Basically, is there anyway to filter memory writes, anyway to hook a
particular address range via kernel mode?

Thanks,
Matt

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 6:54 AM
Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”

> CreateRemoteThread and WriteProcessMemory are most used APIs for this
> indeed.
> But keep in mind that during a process creation phase both those APIs (at
> native level),
> are used to create a new process.
>
>
> Dan
>
> ----- Original Message -----
> From: “Matt Martin”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 2:02 PM
> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
>> Thanks Ivona,
>>
>> I’m sure as everyone can tell, I know very little about this subject.
>> Being self-taught, there are gapping holes in my knowledge. I appreciate
>> your feedback, once I get a handle on this I’m sure I’ll be able to run
>> with it in multiple directions…
>>
>> Thanks,
>>
>> Matt
>> ----- Original Message -----
>> From: “ivona prenosilova”
>> To: “Windows System Software Devs Interest List”
>> Sent: Thursday, August 25, 2005 5:44 AM
>> Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
>>
>>
>>> Hello Matt,
>>>
>>> MM> I believe you when you say there are many ways to inject code. I’m
>>> looking
>>> MM> to block the most common approaches(from what I can see,
>>> CreateRemoteThread
>>> MM> and WriteProcessMemory seem to be the most common, could be wrong
>>> though).
>>> well, the start of this all is (Nt)OpenProcess. anyway, from what i
>>> see, you should probably RTM, get decent books on windows internals,
>>> do some reverse engineering on the functions you’re dealing with, get
>>> some tutorials from the other side (like VX tutorials, vx.netlux.org)
>>> - if you want to know more about the injecting that is used in current
>>> malware - and after you do all of this, you’ll probably after all get
>>> what Dan said.
>>>
>>> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
>>> eh, no way, this is not what you’re looking for … that is NTVDM, not
>>> native subsystem.
>>>
>>> –
>>> Best regards,
>>> Ivona Prenosilova
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

No there are no API’s to do this. This would require extensive changes to
the memory manager according to the developers.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Matt Martin” wrote in message news:xxxxx@ntdev…
> How about this,
>
> I know file system filters are very possible, what about memory filters?
> Could a filter driver be created to filter memory alloc’s? Perhaps filter
> memory alloc’s for known processes or libraries? I’ve been searching threw
> the DDK, and I don’t see anything that could ‘shim’ into the memory
> manager. Am I missing something, is there an undocumented method, or is it
> simply not possible?
>
> Basically, is there anyway to filter memory writes, anyway to hook a
> particular address range via kernel mode?
>
> Thanks,
> Matt
>
>
> ----- Original Message -----
> From: “Dan Partelly”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 6:54 AM
> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
>> CreateRemoteThread and WriteProcessMemory are most used APIs for this
>> indeed.
>> But keep in mind that during a process creation phase both those APIs (at
>> native level),
>> are used to create a new process.
>>
>>
>> Dan
>>
>> ----- Original Message -----
>> From: “Matt Martin”
>> To: “Windows System Software Devs Interest List”
>> Sent: Thursday, August 25, 2005 2:02 PM
>> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>>
>>
>>> Thanks Ivona,
>>>
>>> I’m sure as everyone can tell, I know very little about this subject.
>>> Being self-taught, there are gapping holes in my knowledge. I appreciate
>>> your feedback, once I get a handle on this I’m sure I’ll be able to run
>>> with it in multiple directions…
>>>
>>> Thanks,
>>>
>>> Matt
>>> ----- Original Message -----
>>> From: “ivona prenosilova”
>>> To: “Windows System Software Devs Interest List”
>>> Sent: Thursday, August 25, 2005 5:44 AM
>>> Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
>>>
>>>
>>>> Hello Matt,
>>>>
>>>> MM> I believe you when you say there are many ways to inject code. I’m
>>>> looking
>>>> MM> to block the most common approaches(from what I can see,
>>>> CreateRemoteThread
>>>> MM> and WriteProcessMemory seem to be the most common, could be wrong
>>>> though).
>>>> well, the start of this all is (Nt)OpenProcess. anyway, from what i
>>>> see, you should probably RTM, get decent books on windows internals,
>>>> do some reverse engineering on the functions you’re dealing with, get
>>>> some tutorials from the other side (like VX tutorials, vx.netlux.org)
>>>> - if you want to know more about the injecting that is used in current
>>>> malware - and after you do all of this, you’ll probably after all get
>>>> what Dan said.
>>>>
>>>> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
>>>> eh, no way, this is not what you’re looking for … that is NTVDM, not
>>>> native subsystem.
>>>>
>>>> –
>>>> Best regards,
>>>> Ivona Prenosilova
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Fernando,

In one of my initial messages I mentioned NtProtectVirtualMemory, have you
used this technique before? Do you see any significant performance hit? Or
for that matter, does anyone else forsee problems using this technique?

I really want to say thanks to everyone so far for the help, idea’s, and
input that have been supplied already. I appreciated all the feedback.

Matt
----- Original Message -----
From: “Fernando Roberto”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 8:09 AM
Subject: RES: Re[2]: [ntdev] How To Protect Against “Process Inject”

Matt,

You can hook NtProtectVirtualMemory , NtWriteProcessMemory and
NtQueryVirtualMemory to track addresses and filter writes in specific
addresses or filter writes that comes from different process yet. It
isn’t a complete filter, but filters the most of code injections made in
user mode.

Regards,
Fernando Roberto da Silva.

-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de Matt Martin
Enviada em: quinta-feira, 25 de agosto de 2005 09:53
Para: Windows System Software Devs Interest List
Assunto: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”

How about this,

I know file system filters are very possible, what about memory filters?

Could a filter driver be created to filter memory alloc’s? Perhaps
filter
memory alloc’s for known processes or libraries? I’ve been searching
threw
the DDK, and I don’t see anything that could ‘shim’ into the memory
manager.
Am I missing something, is there an undocumented method, or is it simply
not
possible?

Basically, is there anyway to filter memory writes, anyway to hook a
particular address range via kernel mode?

Thanks,
Matt

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 6:54 AM
Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”

> CreateRemoteThread and WriteProcessMemory are most used APIs for this
> indeed.
> But keep in mind that during a process creation phase both those APIs
(at
> native level),
> are used to create a new process.
>
>
> Dan
>
> ----- Original Message -----
> From: “Matt Martin”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 2:02 PM
> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
>> Thanks Ivona,
>>
>> I’m sure as everyone can tell, I know very little about this subject.

>> Being self-taught, there are gapping holes in my knowledge. I
appreciate
>> your feedback, once I get a handle on this I’m sure I’ll be able to
run
>> with it in multiple directions…
>>
>> Thanks,
>>
>> Matt
>> ----- Original Message -----
>> From: “ivona prenosilova”
>> To: “Windows System Software Devs Interest List”

>> Sent: Thursday, August 25, 2005 5:44 AM
>> Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
>>
>>
>>> Hello Matt,
>>>
>>> MM> I believe you when you say there are many ways to inject code.
I’m
>>> looking
>>> MM> to block the most common approaches(from what I can see,
>>> CreateRemoteThread
>>> MM> and WriteProcessMemory seem to be the most common, could be
wrong
>>> though).
>>> well, the start of this all is (Nt)OpenProcess. anyway, from what i
>>> see, you should probably RTM, get decent books on windows internals,
>>> do some reverse engineering on the functions you’re dealing with,
get
>>> some tutorials from the other side (like VX tutorials,
vx.netlux.org)
>>> - if you want to know more about the injecting that is used in
current
>>> malware - and after you do all of this, you’ll probably after all
get
>>> what Dan said.
>>>
>>> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
>>> eh, no way, this is not what you’re looking for … that is NTVDM,
not
>>> native subsystem.
>>>
>>> –
>>> Best regards,
>>> Ivona Prenosilova
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@opencs.com.br
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com