The invocation of interrupt 2F used to be the second instruction of every
NTDLL export (with the first instruction loading the system service call
number into the EAX register). In XP it would appear that now the NTDLL
export mills around for a few instructions before jumping to an entirely
different location in the DLL, at which point the interrupt gets invoked. (I
can’t really see any value in this change other than making it harder for
people to do what you’re trying to do…)
-----Original Message-----
From: Jeremy Kercheval [SMTP:xxxxx@expressmetrix.com]
Sent: Wednesday, November 14, 2001 8:08 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDescript orTableMichal,
Thanks for the response, unfortunately I don’t entirely understand what
you have given me here. I’m not trying to be stupid, but I don’t have a
lot of experience with the kernel.
Is the first section how NT used to enter the kernel, and the second
part the new way? I’m not sure how I would change my GetThunkCode based
on the below information.Jeremy
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, November 14, 2001 3:58 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDescript orTableYes, XP changed the way to enter kernel:
:u ZwCreateProcess
_NtCreateProcess
001B:77F7E6A3 B82F000000 MOV EAX,0000002F
001B:77F7E6A8 BA0003FE7F MOV EDX,7FFE0300
001B:77F7E6AD FFD2 CALL EDX
001B:77F7E6AF C22000 RET 0020:u 7FFE0300
001B:7FFE0300 8BD4 MOV EDX,ESP
001B:7FFE0302 0F34 SYSENTER
001B:7FFE0304 C3 RETJust change your GetThunkCode a bit and check OS to see what version to
use.As for driver crash; if you’re doing such a change, you should see why
it crashes. If memory protection causes it, examine and try to change WP
bit in CR0.Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o. [michal.vodicka@st.com,
http:://www.st.com]> ----------
> From: xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Wednesday, November 14, 2001 10:14 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] Kernel mode device driver problem -
> KeServiceDescriptorTable
>
> I have an app and driver that works on NT4 through Windows 2000 SP2
> that fails on Windows XP. In user mode we would call GetProcAddress
> as
> follows:
>
> BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG ntParams);
> HMODULE hNtDll; FARPROC pFunc;
>
> ----
> if (hNtDll = LoadLibrary(“NTDLL.DLL”))
> {
> if ((pFunc = GetProcAddress(hNtDll,“ZwCreateProcess”)) == NULL
> ||
>
> !GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
> &pInitBlock->CreateProcessHookBlock.ParamCount))
> {
> FreeLibrary(hNtDll);
> return 0;
> }
> }
> ----
> This would get the address of the function in ntdll, we would then
> extract the service id and number of bytes required for the parameters> using the below function:
> —
> static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> ntParams)
> {
> #pragma pack(1)
> typedef struct _NTFUNC_BLOCK
> {
> UCHAR moveeax;
> ULONG thunkCode;
> UCHAR stuff[4];
> UCHAR insint;
> UCHAR vector;
> UCHAR insret;
> USHORT params;
> }
> * PNTFUNC_BLOCK;
> PNTFUNC_BLOCK pNtFunc;
> #pragma pack()
>
> pNtFunc = (PNTFUNC_BLOCK) funcPtr;
> if (pNtFunc->moveeax != 0xb8)
> return FALSE;
> if (pNtFunc->insint != 0xcd)
> return FALSE;
> if (pNtFunc->vector != 0x2e)
> return FALSE;
> if (pNtFunc->insret != 0xc2)
> return FALSE;
> *ntCode = pNtFunc->thunkCode;
> *ntParams = pNtFunc->params/sizeof(ULONG);
> return TRUE;
> }
> —
>
> The problem is that the function no longer returns the information the> same way that it used to. We would then pass this information
> (thunkCode and number of params) to the driver which would hook into
> the KeServiceDescriptorTable replacing the real CreateProcess function> with our own.
>
> Also, when I try to write to the KeServiceDescriptorTable at any
> serviceID, the driver immediately crashes. Did XP change the memory
> protection of the KeServiceDescriptorTable?
>
> In short, the address that we get back from GetProcAddress no longer
> has the same format - does anyone know the new format? If I can find
> the correct ServiceID for the KeServiceDescriptorTable, can I still
> replace the old address with a new one, or is it protected memory now?
>
> Thanks,
> Jeremy
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com To
> unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@expressmetrix.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@fmr.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com