Michal,
Someone else did originally write the code, and I am now the poor
engineer that has to fix it. Unfortunately the person/people that wrote
the code originally are now with a different company. I appreciate the
time you have taken already to help - very much.
The software hooks the CreateProcess call by replacing the address in
the service table with a our own function (in a kernel mode driver),
which monitors process creation and passes the data along to the
original function.
Thanks again for your help - I guess it’s time to buy softice.
-Jeremy
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, November 14, 2001 5:50 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc
ript orTable
Jeremy,
I’m sorry to say it but if you want to change service table, you should
have a lot of experience with the kernel and exactly know what you’re
doing. Otherwise it is really easy to crash system.
I presume GetThunkCode() wrote somebody else. If I understand it
correctly, it tries to verify if ntdll code to enter kernel is exactly
what it expects and if so, extracts necessary info. XP code was changed
and verification detects it. What you need is to change _NTFUNC_BLOCK
and verification appropriate way. Below you can see XP code; the first
collumns are addresses (ignore it), the second real code as is in memory
and next are appropriate assembly instructions. From code it should be
possible to see how to change verification routine. You can compare it
with code from NT4/w2k, you need a debugger or disassembler to see it.
I’m sorry, currenty I don’t have time to give you something better now,
maybe tomorrow or maybe somebody else will in the meantime.
Just curious: what is the purpose of your code and who wrote original
code which works on NT/w2k? S/he should be able to improve it for XP.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o. [michal.vodicka@st.com,
http:://www.st.com]
From: xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, November 15, 2001 2:07 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDescript orTableMichal,
Thanks for the response, unfortunately I don’t entirely understand
what you have given me here. I’m not trying to be stupid, but I don’t
have a lot of experience with the kernel. Is the first section how NT
used to enter the kernel, and the second part the new way? I’m not
sure how I would change my GetThunkCode based on the below
information.Jeremy
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, November 14, 2001 3:58 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDescript orTableYes, XP changed the way to enter kernel:
:u ZwCreateProcess
_NtCreateProcess
001B:77F7E6A3 B82F000000 MOV EAX,0000002F
001B:77F7E6A8 BA0003FE7F MOV EDX,7FFE0300
001B:77F7E6AD FFD2 CALL EDX
001B:77F7E6AF C22000 RET 0020:u 7FFE0300
001B:7FFE0300 8BD4 MOV EDX,ESP
001B:7FFE0302 0F34 SYSENTER
001B:7FFE0304 C3 RETJust change your GetThunkCode a bit and check OS to see what version
to use.As for driver crash; if you’re doing such a change, you should see why
it crashes. If memory protection causes it, examine and try to change
WP bit in CR0.Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]> ----------
> From:
xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Wednesday, November 14, 2001 10:14 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] Kernel mode device driver problem -
> KeServiceDescriptorTable
>
> I have an app and driver that works on NT4 through Windows 2000 SP2
> that fails on Windows XP. In user mode we would call GetProcAddress
> as
> follows:
>
> BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG ntParams);
> HMODULE hNtDll; FARPROC pFunc;
>
> ----
> if (hNtDll = LoadLibrary(“NTDLL.DLL”))
> {
> if ((pFunc = GetProcAddress(hNtDll,“ZwCreateProcess”)) == NULL
> ||
>
> !GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
> &pInitBlock->CreateProcessHookBlock.ParamCount))
> {
> FreeLibrary(hNtDll);
> return 0;
> }
> }
> ----
> This would get the address of the function in ntdll, we would then
> extract the service id and number of bytes required for the
parameters> using the below function:
> —
> static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> ntParams)
> {
> #pragma pack(1)
> typedef struct _NTFUNC_BLOCK
> {
> UCHAR moveeax;
> ULONG thunkCode;
> UCHAR stuff[4];
> UCHAR insint;
> UCHAR vector;
> UCHAR insret;
> USHORT params;
> }
> * PNTFUNC_BLOCK;
> PNTFUNC_BLOCK pNtFunc;
> #pragma pack()
>
> pNtFunc = (PNTFUNC_BLOCK) funcPtr;
> if (pNtFunc->moveeax != 0xb8)
> return FALSE;
> if (pNtFunc->insint != 0xcd)
> return FALSE;
> if (pNtFunc->vector != 0x2e)
> return FALSE;
> if (pNtFunc->insret != 0xc2)
> return FALSE;
> *ntCode = pNtFunc->thunkCode;
> *ntParams = pNtFunc->params/sizeof(ULONG);
> return TRUE;
> }
> —
>
> The problem is that the function no longer returns the information
> the> same way that it used to. We would then pass this information
> (thunkCode and number of params) to the driver which would hook into
> the KeServiceDescriptorTable replacing the real CreateProcess
function> with our own.
>
> Also, when I try to write to the KeServiceDescriptorTable at any
> serviceID, the driver immediately crashes. Did XP change the memory
> protection of the KeServiceDescriptorTable?
>
> In short, the address that we get back from GetProcAddress no longer
> has the same format - does anyone know the new format? If I can
find
> the correct ServiceID for the KeServiceDescriptorTable, can I still
> replace the old address with a new one, or is it protected memory
now?
>
> Thanks,
> Jeremy
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com To
> unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
You are currently subscribed to ntdev as: xxxxx@expressmetrix.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: michal.vodicka@st.com To
unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@expressmetrix.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com