Hello Dan,
Anders Fogh
Hohe Strasse 19
44139 Dortmund
Germany
Friday, May 11, 2001, 10:01:00 AM, you wrote:
DP> HKLM\System\CurrentControlSet\Control\SessionManager\MemoryManagement\Enforc
DP> eWriteProtection
DP> ----- Original Message -----
DP> From: “Rob Fuller”
DP> To: “File Systems Developers”
DP> Sent: Friday, May 11, 2001 6:38 PM
DP> Subject: [ntfsd] Re: Compiling inline Assembly
>> Where in the registry is the “EnforceWriteProtection” registry key?
>>
>> > -----Original Message-----
>> > From: danp [mailto:danp@jb.rdsor.ro]
>> > Sent: Friday, May 11, 2001 8:20 AM
>> > To: File Systems Developers
>> > Subject: [ntfsd] Re: Compiling inline Assembly
>> >
>> >
>> > Is not a question of “system file” or whatever , it is a
>> > question of page
>> > level protection. Starting with 486 CPU’s , a new bit was
>> > introduced in Cr0
>> > , the WP (Write Protect) bit ,
>> > which prohibits even ring0 code to write on Read Only pages ,
>> > when set.
>> > This , combined with the fact Win2k by default enforces
>> > write protection on
>> > code section of binarys (default, can be modified trough
>> > EnforceWriteProtection registry key), will prevent writes to
>> > RO pages. Of
>> > course , this can be bypassed , but again , take our advice
>> > and forget this
>> > stuff , focus on a clean & reliable implementation of your
>> > toy. You dont
>> > need self modifing code in a filter driver , you dont need
>> > ASM in it , you
>> > need a clean and , in the even this is
>> > a encryption filter , a good cryptographic aproach.
>> >
>> > ----- Original Message -----
>> > From: “Satish”
>> > To: “File Systems Developers”
>> > Sent: Friday, May 11, 2001 2:14 PM
>> > Subject: [ntfsd] Re: Compiling inline Assembly
>> >
>> >
>> > >
>> > > > On the May 10 Nuno the First wrote
>> > > >
>> > > > > i saw the answer about the _emit , good to know about
>> > it but here
>> > is
>> > > mostly the same way.
>> > > > >
>> > > > > __asm {
>> > > > > jmp domodify
>> > > > > modifyhere:
>> > > > > nop ;will become INT 20 (CDh,20h)
>> > > > > nop
>> > > > > ret
>> > > > > domodify:
>> > > > > mov BYTE PTR [modifyhere],0xcd
>> > > > > mov BYTE PTR [modifyhere+1],0x20
>> > > > > jmp modifyhere
>> > > > > }
>> > > > >
>> > > >
>> > > > In the code above the storage to modify would be in the code
>> > section.
>> > > If I am not mistaking modification of such a storage
>> > > > is not possible under W2k (there’s a note in new DDK releases
>> > > > or article in the knowledge base that the driver code sections are
>> > > > read only).
>> > > > _emit itself is used in Win9x DDK to represent the VMM call.
>> > > >
>> > >
>> > > In win2k if we overwrite System file then it doesnt allow.
>> > Above code is
>> > in
>> > > Run Time modifying itself. I think that is possible.
>> > >
>> > > Regards,
>> > > Satish K.S
>> > >
>> > >
>> > > —
>> > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
>> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>> > >
>> >
>> >
>> >
>> > —
>> > You are currently subscribed to ntfsd as: xxxxx@nsisw.com
>> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>> >
>>
>> —
>> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>
DP> —
DP> You are currently subscribed to ntfsd as: xxxxx@flaffer.com
DP> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
–
Best regards,
Anders mailto:xxxxx@flaffer.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com