RE: Kernel mode device driver problem - KeServiceDesc ript orTable

We are doing a bit more than just monitoring the process starting, the
app can be configured to stop launches of selected processes.

There is very little kernel programming overall, so we have been trying
other resources (this list for one) to figure out the differences and
fix the driver. We will eventually move to other methods of control I
think… My real concern is that we will have to “fix” this driver every
time MS makes a change, though this is the first problem with the driver
(and client app) in several versions, so it my not be a large concern.

We just may have someone else look at it, but once I get started on
something I like to figure it out for myself, so I keep banging away at
it… How else can I learn these things :slight_smile:

Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Thursday, November 15, 2001 4:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc
ript orTable

Jeremy,

if you want only monitor process creation, already recommended
PsSetCreateProcessNotifyRoutine is a good choice. It is documented (see
http://www.osr.com/ddk/k108_5lwy.htm), relatively easy to use and works
on both w2k and XP (probably also on NT4) and no undocumented hacks are
necessary. Also, you are informed about process exits. However, you
can’t influence process creation, for example you can’t stop an evil
process from running.

As for buy SoftICE, it is a good idea if you want to do more kernel
programming in the future. If this problem is only kernel problem which
you need to solve, it would be probably cheaper and much faster to pay
somebody who would solve it for you (no, it isn’t blatant advertisment,
my working agreement explicitly disallows it :). Maybe you already
received some offers.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o. [michal.vodicka@st.com,
http:://www.st.com]


From: xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, November 15, 2001 4:09 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDesc ript orTable

Michal,
Someone else did originally write the code, and I am now the poor
engineer that has to fix it. Unfortunately the person/people that
wrote the code originally are now with a different company. I
appreciate the time you have taken already to help - very much.

The software hooks the CreateProcess call by replacing the address in
the service table with a our own function (in a kernel mode driver),
which monitors process creation and passes the data along to the
original function.

Thanks again for your help - I guess it’s time to buy softice.

-Jeremy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, November 14, 2001 5:50 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc

ript orTable

Jeremy,

I’m sorry to say it but if you want to change service table, you
should have a lot of experience with the kernel and exactly know what
you’re doing. Otherwise it is really easy to crash system.

I presume GetThunkCode() wrote somebody else. If I understand it
correctly, it tries to verify if ntdll code to enter kernel is exactly

what it expects and if so, extracts necessary info. XP code was
changed and verification detects it. What you need is to change
_NTFUNC_BLOCK and verification appropriate way. Below you can see XP
code; the first collumns are addresses (ignore it), the second real
code as is in memory and next are appropriate assembly instructions.
From code it should be possible to see how to change verification
routine. You can compare it with code from NT4/w2k, you need a
debugger or disassembler to see it. I’m sorry, currenty I don’t have
time to give you something better now, maybe tomorrow or maybe
somebody else will in the meantime.

Just curious: what is the purpose of your code and who wrote original
code which works on NT/w2k? S/he should be able to improve it for XP.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

> ----------
> From:
xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, November 15, 2001 2:07 AM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] RE: Kernel mode device driver problem -
> KeServiceDescript orTable
>
> Michal,
> Thanks for the response, unfortunately I don’t entirely understand
> what you have given me here. I’m not trying to be stupid, but I
don’t

> have a lot of experience with the kernel. Is the first section how
> NT
> used to enter the kernel, and the second part the new way? I’m not
> sure how I would change my GetThunkCode based on the below
> information.
>
> Jeremy
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Wednesday, November 14, 2001 3:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: Kernel mode device driver problem -
> KeServiceDescript orTable
>
>
> Yes, XP changed the way to enter kernel:
>
> :u ZwCreateProcess
> _NtCreateProcess
> 001B:77F7E6A3 B82F000000 MOV EAX,0000002F
> 001B:77F7E6A8 BA0003FE7F MOV EDX,7FFE0300
> 001B:77F7E6AD FFD2 CALL EDX
> 001B:77F7E6AF C22000 RET 0020
>
> :u 7FFE0300
> 001B:7FFE0300 8BD4 MOV EDX,ESP
> 001B:7FFE0302 0F34 SYSENTER
> 001B:7FFE0304 C3 RET
>
> Just change your GetThunkCode a bit and check OS to see what version
> to use.
>
> As for driver crash; if you’re doing such a change, you should see
> why

> it crashes. If memory protection causes it, examine and try to
> change
> WP bit in CR0.
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
> > ----------
> > From:
xxxxx@expressmetrix.com[SMTP:xxxxx@expressmetrix.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Wednesday, November 14, 2001 10:14 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] Kernel mode device driver problem -
> > KeServiceDescriptorTable
> >
> > I have an app and driver that works on NT4 through Windows 2000
> > SP2 that fails on Windows XP. In user mode we would call
> > GetProcAddress

> > as
> > follows:
> >
> > BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> > ntParams); HMODULE hNtDll; FARPROC pFunc;
> >
> > ----
> > if (hNtDll = LoadLibrary(“NTDLL.DLL”))
> > {
> > if ((pFunc = GetProcAddress(hNtDll,“ZwCreateProcess”)) == NULL
> > ||
> >
> > !GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode,
> > &pInitBlock->CreateProcessHookBlock.ParamCount))
> > {
> > FreeLibrary(hNtDll);
> > return 0;
> > }
> > }
> > ----
> > This would get the address of the function in ntdll, we would then

> > extract the service id and number of bytes required for the
parameters
>
> > using the below function:
> > —
> > static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> > ntParams)
> > {
> > #pragma pack(1)
> > typedef struct _NTFUNC_BLOCK
> > {
> > UCHAR moveeax;
> > ULONG thunkCode;
> > UCHAR stuff[4];
> > UCHAR insint;
> > UCHAR vector;
> > UCHAR insret;
> > USHORT params;
> > }
> > * PNTFUNC_BLOCK;
> > PNTFUNC_BLOCK pNtFunc;
> > #pragma pack()
> >
> > pNtFunc = (PNTFUNC_BLOCK) funcPtr;
> > if (pNtFunc->moveeax != 0xb8)
> > return FALSE;
> > if (pNtFunc->insint != 0xcd)
> > return FALSE;
> > if (pNtFunc->vector != 0x2e)
> > return FALSE;
> > if (pNtFunc->insret != 0xc2)
> > return FALSE;
> > *ntCode = pNtFunc->thunkCode;
> > *ntParams = pNtFunc->params/sizeof(ULONG);
> > return TRUE;
> > }
> > —
> >
> > The problem is that the function no longer returns the information
> > the
>
> > same way that it used to. We would then pass this information
> > (thunkCode and number of params) to the driver which would hook
> > into

> > the KeServiceDescriptorTable replacing the real CreateProcess
function
>
> > with our own.
> >
> > Also, when I try to write to the KeServiceDescriptorTable at any
> > serviceID, the driver immediately crashes. Did XP change the
> > memory

> > protection of the KeServiceDescriptorTable?
> >
> > In short, the address that we get back from GetProcAddress no
> > longer has the same format - does anyone know the new format? If
> > I can
find
> > the correct ServiceID for the KeServiceDescriptorTable, can I
> > still
> > replace the old address with a new one, or is it protected memory
now?
> >
> > Thanks,
> > Jeremy
> >
> >
> > —
> > You are currently subscribed to ntdev as: michal.vodicka@st.com To

> > unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@expressmetrix.com

> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com To
> unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntdev as: xxxxx@expressmetrix.com

To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: michal.vodicka@st.com To
unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@expressmetrix.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com