This unix guy (me) needs a little help..

After the company did some project/people shuffling, I inherited a
prototype (proof-of-concept) windows filter driver. I’m a Unix kernel
developer so I am trying to learn the window’s I/O model and the driver
code while fixing some bugs (great way to learn, huh?). I am chasing a
problem that has me stumped so I am hoping someone can point me in the
right direction. This problem is on a XP SP1 system (but I think it may
be applicable to other versions).

In DriverEntry(), ZwQuerySystemInformation() is invoked using
sub-function SystemModuleInformation. The returned buffer is scanned
for an entry for ‘ntdll.dll’ and the module’s base address in memory is
used to find an entry point for later use (note: after doing some
reading and lurking, I understand the horrors of leveraging all of this
undocumented stuff…I didn’t write the code, just trying to
understand/fix it!).

During system initialization (boot), the address lookup is performed, as
described above, and actually yields the correct results. If the driver
is unloaded, which seems to work, and then reloaded, the system will
blue screen intermittently. These blue screens seem to depend on system
load and how ‘busy’ the system is. The system crashes while attempting
to reference ntdll.dll’s module base address that was obtained as
described above. In other words, what appears to have worked before
during system initialization and can be referenced, after the system has
been running for some time, the same memory is no longer accessible.

Looking at the memory dump produced, windbg indicates that a page fault
occurred in a nonpaged area. The address I am trying to reference (the
module’s base address) appears to be in the nonpaged pool. OK, so I
used !pte and !vad on the address and the page tables don’t indicate the
address is valid. I then used !address which displays the base address
of ntdll.dll (the address I am trying to read), the correct size and the
usage of ‘KernelSpaceUsageImage’, so it appears that the address that I
have for the base is ‘correct’ and is associated with ntdll.dll. Then I
used !imgreloc and amongst the printout it had a line that said “Unable
to read image header at xxxxxx” where xxxxx is the address I am trying
to reference, the module base address of ntdll.dll. In addition to the
“unable to read…” that I saw for ntdll.dll, there were six (6) others
for: win32k.sys, ati2dvag.dll, ati2cqag.dll, ati3d1ag.dll, hpblff2.dll
and dxg.sys; all of these addresses are in the b800000 through bff80000
range. I attempted to display some of these memory locations and windbg
always displays ‘???’ so I assume they are not valid addresses.

So, other than the fact that this is a great illustration of why you
should never use undocumented stuff, I have the following questions:

1. Why would an address for a system interface module be perfectly
   usable during boot (and while a system is not busy) but not usable later
   on after the system has been running for some time? I assume the answer
   is that this memory is released later on if/when needed. If released,
   why the memory associated with ntdll.dll?

2. Why would memory in nonpaged pool not be available? I thought if it
   was in nonpaged pool it is still usable.

3. I am still slogging through trying to understand the MmXxxxx()
   routines; is there a way to obtain visibility to this memory *if* the
   data is still valid?

And yes, one of my action items is to get to the point of getting rid of
all of this undocumented cruft…as soon as I understand what is going
on.

Thanks for any and all advice

Why the driver imports something from ntdll, which is a user-mode binary?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vossen, Joseph (ISS Atlanta)”
To: “Windows File Systems Devs Interest List”
Sent: Friday, August 06, 2004 4:41 PM
Subject: [ntfsd] This unix guy (me) needs a little help…

> After the company did some project/people shuffling, I inherited a
> prototype (proof-of-concept) windows filter driver. I’m a Unix kernel
> developer so I am trying to learn the window’s I/O model and the driver
> code while fixing some bugs (great way to learn, huh?). I am chasing a
> problem that has me stumped so I am hoping someone can point me in the
> right direction. This problem is on a XP SP1 system (but I think it may
> be applicable to other versions).
>
> In DriverEntry(), ZwQuerySystemInformation() is invoked using
> sub-function SystemModuleInformation. The returned buffer is scanned
> for an entry for ‘ntdll.dll’ and the module’s base address in memory is
> used to find an entry point for later use (note: after doing some
> reading and lurking, I understand the horrors of leveraging all of this
> undocumented stuff…I didn’t write the code, just trying to
> understand/fix it!).
>
> During system initialization (boot), the address lookup is performed, as
> described above, and actually yields the correct results. If the driver
> is unloaded, which seems to work, and then reloaded, the system will
> blue screen intermittently. These blue screens seem to depend on system
> load and how ‘busy’ the system is. The system crashes while attempting
> to reference ntdll.dll’s module base address that was obtained as
> described above. In other words, what appears to have worked before
> during system initialization and can be referenced, after the system has
> been running for some time, the same memory is no longer accessible.
>
> Looking at the memory dump produced, windbg indicates that a page fault
> occurred in a nonpaged area. The address I am trying to reference (the
> module’s base address) appears to be in the nonpaged pool. OK, so I
> used !pte and !vad on the address and the page tables don’t indicate the
> address is valid. I then used !address which displays the base address
> of ntdll.dll (the address I am trying to read), the correct size and the
> usage of ‘KernelSpaceUsageImage’, so it appears that the address that I
> have for the base is ‘correct’ and is associated with ntdll.dll. Then I
> used !imgreloc and amongst the printout it had a line that said “Unable
> to read image header at xxxxxx” where xxxxx is the address I am trying
> to reference, the module base address of ntdll.dll. In addition to the
> “unable to read…” that I saw for ntdll.dll, there were six (6) others
> for: win32k.sys, ati2dvag.dll, ati2cqag.dll, ati3d1ag.dll, hpblff2.dll
> and dxg.sys; all of these addresses are in the b800000 through bff80000
> range. I attempted to display some of these memory locations and windbg
> always displays ‘???’ so I assume they are not valid addresses.
>
> So, other than the fact that this is a great illustration of why you
> should never use undocumented stuff, I have the following questions:
>
> 1. Why would an address for a system interface module be perfectly
> usable during boot (and while a system is not busy) but not usable later
> on after the system has been running for some time? I assume the answer
> is that this memory is released later on if/when needed. If released,
> why the memory associated with ntdll.dll?
>
> 2. Why would memory in nonpaged pool not be available? I thought if it
> was in nonpaged pool it is still usable.
>
> 3. I am still slogging through trying to understand the MmXxxxx()
> routines; is there a way to obtain visibility to this memory if the
> data is still valid?
>
> And yes, one of my action items is to get to the point of getting rid of
> all of this undocumented cruft…as soon as I understand what is going
> on.
>
> Thanks for any and all advice
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

I’ll bet that the driver hooks an entry in the system service table and
gets the function code from ntdll.dll. Although I would expect the crash
to happen when some system call returns to hook code that is no longer
there after unload …

Cheers,
Felix.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Friday, 6 August 2004 05:55
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] This unix guy (me) needs a little help…

Why the driver imports something from ntdll, which is a user-mode
binary?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vossen, Joseph (ISS Atlanta)”
To: “Windows File Systems Devs Interest List”
Sent: Friday, August 06, 2004 4:41 PM
Subject: [ntfsd] This unix guy (me) needs a little help…

> After the company did some project/people shuffling, I inherited a
> prototype (proof-of-concept) windows filter driver. I’m a Unix kernel
> developer so I am trying to learn the window’s I/O model and the
driver
> code while fixing some bugs (great way to learn, huh?). I am chasing
a
> problem that has me stumped so I am hoping someone can point me in the
> right direction. This problem is on a XP SP1 system (but I think it
may
> be applicable to other versions).
>
> In DriverEntry(), ZwQuerySystemInformation() is invoked using
> sub-function SystemModuleInformation. The returned buffer is scanned
> for an entry for ‘ntdll.dll’ and the module’s base address in memory
is
> used to find an entry point for later use (note: after doing some
> reading and lurking, I understand the horrors of leveraging all of
this
> undocumented stuff…I didn’t write the code, just trying to
> understand/fix it!).
>
> During system initialization (boot), the address lookup is performed,
as
> described above, and actually yields the correct results. If the
driver
> is unloaded, which seems to work, and then reloaded, the system will
> blue screen intermittently. These blue screens seem to depend on
system
> load and how ‘busy’ the system is. The system crashes while
attempting
> to reference ntdll.dll’s module base address that was obtained as
> described above. In other words, what appears to have worked before
> during system initialization and can be referenced, after the system
has
> been running for some time, the same memory is no longer accessible.
>
> Looking at the memory dump produced, windbg indicates that a page
fault
> occurred in a nonpaged area. The address I am trying to reference
(the
> module’s base address) appears to be in the nonpaged pool. OK, so I
> used !pte and !vad on the address and the page tables don’t indicate
the
> address is valid. I then used !address which displays the base
address
> of ntdll.dll (the address I am trying to read), the correct size and
the
> usage of ‘KernelSpaceUsageImage’, so it appears that the address that
I
> have for the base is ‘correct’ and is associated with ntdll.dll. Then
I
> used !imgreloc and amongst the printout it had a line that said
“Unable
> to read image header at xxxxxx” where xxxxx is the address I am trying
> to reference, the module base address of ntdll.dll. In addition to
the
> “unable to read…” that I saw for ntdll.dll, there were six (6)
others
> for: win32k.sys, ati2dvag.dll, ati2cqag.dll, ati3d1ag.dll, hpblff2.dll
> and dxg.sys; all of these addresses are in the b800000 through
bff80000
> range. I attempted to display some of these memory locations and
windbg
> always displays ‘???’ so I assume they are not valid addresses.
>
> So, other than the fact that this is a great illustration of why you
> should never use undocumented stuff, I have the following questions:
>
> 1. Why would an address for a system interface module be perfectly
> usable during boot (and while a system is not busy) but not usable
later
> on after the system has been running for some time? I assume the
answer
> is that this memory is released later on if/when needed. If released,
> why the memory associated with ntdll.dll?
>
> 2. Why would memory in nonpaged pool not be available? I thought if
it
> was in nonpaged pool it is still usable.
>
> 3. I am still slogging through trying to understand the MmXxxxx()
> routines; is there a way to obtain visibility to this memory if the
> data is still valid?
>
> And yes, one of my action items is to get to the point of getting rid
of
> all of this undocumented cruft…as soon as I understand what is
going
> on.
>
> Thanks for any and all advice
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@mvps.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Why the driver imports something from ntdll, which is a

user-mode binary?

It is looking for a single Zwxxxxx() entry point.

> I’ll bet that the driver hooks an entry in the system service

table and gets the function code from ntdll.dll. Although I
would expect the crash to happen when some system call
returns to hook code that is no longer there after unload …

That is correct, however the ‘hook’ is properly backed out during
unload. If someone else also hooks the same function, the unload does
not take place.

What is this entry point? Maybe look for it in NTOSKRNL instead?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vossen, Joseph (ISS Atlanta)”
To: “Windows File Systems Devs Interest List”
Sent: Friday, August 06, 2004 5:03 PM
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

> > Why the driver imports something from ntdll, which is a
> > user-mode binary?
>
> It is looking for a single Zwxxxxx() entry point.
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

There are no chances of undoing the hook properly.
So, the driver which uses hooking must never unload. It is impossible.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vossen, Joseph (ISS Atlanta)”
To: “Windows File Systems Devs Interest List”
Sent: Friday, August 06, 2004 5:09 PM
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

> > I’ll bet that the driver hooks an entry in the system service
> > table and gets the function code from ntdll.dll. Although I
> > would expect the crash to happen when some system call
> > returns to hook code that is no longer there after unload …
>
> That is correct, however the ‘hook’ is properly backed out during
> unload. If someone else also hooks the same function, the unload does
> not take place.
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> What is this entry point? Maybe look for it in NTOSKRNL instead?

Good idea, I’ll check. But I am still curious about why the memory is
no longer available after the system has been running for some time. I
am tyring to understand how the memory routines work (I am currently
reading Tony and Peter’s book on this…)

> There are no chances of undoing the hook properly.

So, the driver which uses hooking must never unload. It
is impossible.

OK…if you say so

Joseph,

That is correct, however the ‘hook’ is properly
> backed out during unload.

Four things:

(a) Do you keep a refcount of active calls into the hook, making sure
the driver unloads only after all calls have returned? Mind you, even
this is not safe – I can think of a number of possible race conditions
– but it would be a start. For safe unloading of drivers, don’t hook
system services.

(b) There are two kinds of processes without NTDLL loaded – processes
being created (process object exists, address space exists, NTDLL not
yet mapped), and the system process. Trying to reference NTDLL in either
context is bad.

(c) A third thing: Does the driver blow up right away (i.e., when it
attempts to read the function code out of NTDLL), or does it get
something, and a later system call goes nuts? XPSP1 and beyond use
parameter-checking NTDLL stubs with verifier, at least in checked
builds, I seem to recall; the upshot is that the stubs in NTDLL no
longer necessarily start with a mov eax, function_code. (Besides, that
never held for non-x86 architectures.)

(d) Or does it blow up right after grabbing a function code (syscall
index) from NTDLL – that is, when trying to modify the system service
table? In that case, you might be running afoul of the table being
read-only.

Cheers,
Felix.

P.S.: You should consider Max’ suggestion – look up the API entry point
for the NtXxx() routine in NTOSKRNL, then find that address in the
service table. Just as icky as any other system service hook, but
perhaps more likely to work.

Felix wrote a more detailed description.

It is always better to not use any hooks. If hook usage is inevitable -
then at least load as early as possible and never unload. Consider your code to
be a direct addon to NTOSKRNL.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Vossen, Joseph (ISS Atlanta)”
To: “Windows File Systems Devs Interest List”
Sent: Friday, August 06, 2004 5:24 PM
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

> > There are no chances of undoing the hook properly.
> > So, the driver which uses hooking must never unload. It
> > is impossible.
>
> OK…if you say so
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> > That is correct, however the ‘hook’ is properly

> backed out during unload.

Four things:

(a) Do you keep a refcount of active calls into the hook,
making sure the driver unloads only after all calls have
returned? Mind you, even this is not safe – I can think of a
number of possible race conditions
– but it would be a start. For safe unloading of drivers,
don’t hook system services.

Yes, a reference count is maintained. I agree with your comment about
hooking system services, and in general, using undocumented routines.
Like I said, I inherited this code and I am trying to understand it as
it is written. Once that happens, it will be changed.

(b) There are two kinds of processes without NTDLL loaded –
processes being created (process object exists, address space
exists, NTDLL not yet mapped), and the system process. Trying
to reference NTDLL in either context is bad.

OK…so is ntdll memory mapped? If so, by whom? Does initialiazation
(boot) code pull it in to build up tables and we were just lucky that it
was still available the first time the driver was loaded?

(c) A third thing: Does the driver blow up right away (i.e.,
when it attempts to read the function code out of NTDLL), or
does it get something, and a later system call goes nuts?

Immediately when trying to reference an offset from the base address of
the module.

XPSP1 and beyond use parameter-checking NTDLL stubs with
verifier, at least in checked builds, I seem to recall; the
upshot is that the stubs in NTDLL no longer necessarily start
with a mov eax, function_code. (Besides, that never held for
non-x86 architectures.)

OK

(d) Or does it blow up right after grabbing a function code (syscall
index) from NTDLL – that is, when trying to modify the
system service table? In that case, you might be running
afoul of the table being read-only.

At the point of the crash, it has not even gotten that far; it is taking
the module base address, adding in an offset (0x3c) and reading the
memory at that location. The base address of ntdll in the dump is
located at 0x0bfc32000 with an offset of 0x03c yields 0xbfc3203c. The
dump (shown with !address) indicates that the module is located at
0x0bfc32000 with a length of 0x0a7000. However, at the point of the
crash this memory is not present. I have single-stepped this code
during boot with SoftIce and at that point in time it works.

> Felix wrote a more detailed description.

It is always better to not use any hooks. If hook usage
is inevitable - then at least load as early as possible and
never unload. Consider your code to be a direct addon to NTOSKRNL.

I completely understand that and I as have mentioned before, this was
inherited code that will be changed once I become grounded. While this
is an issue, it does not answer the original question(s) of why I am
able to read memory during system initialization, but not later on after
the system has been running for some time. I am trying to understand
how the kernel handles modules like ntdll.

It was mentioned in brief but I thought I would restate. On XP and higher
NTDLL is no longer mapped into the system process by default. You must read
the ntdll from a “known” process such as your user mode code. This means
you can not do this in DriverEntry.

Thanks,
Rob

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-183680-
xxxxx@lists.osr.com] On Behalf Of Vossen, Joseph (ISS Atlanta)
Sent: Friday, August 06, 2004 9:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

> Felix wrote a more detailed description.
>
> It is always better to not use any hooks. If hook usage
> is inevitable - then at least load as early as possible and
> never unload. Consider your code to be a direct addon to NTOSKRNL.

I completely understand that and I as have mentioned before, this was
inherited code that will be changed once I become grounded. While this
is an issue, it does not answer the original question(s) of why I am
able to read memory during system initialization, but not later on after
the system has been running for some time. I am trying to understand
how the kernel handles modules like ntdll.

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@cdp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I had a same problem almost 2 yrs ago, when I found that win32k.sys on xp
does not necessarily stay resident thruout the system session. Basically,
I would suspect “how would you keep it(ntdll) resident” all along the
session"
is the thing you really need to shoot for. For us, IIRC, it was simple to
create
a dummy window to keep refcnt or something, so that win32k.sys does not
slipout.

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Vossen, Joseph
(ISS Atlanta)
Sent: Friday, August 06, 2004 6:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

Felix wrote a more detailed description.

It is always better to not use any hooks. If hook usage
is inevitable - then at least load as early as possible and
never unload. Consider your code to be a direct addon to NTOSKRNL.

I completely understand that and I as have mentioned before, this was
inherited code that will be changed once I become grounded. While this
is an issue, it does not answer the original question(s) of why I am
able to read memory during system initialization, but not later on after
the system has been running for some time. I am trying to understand
how the kernel handles modules like ntdll.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> It was mentioned in brief but I thought I would restate. On

XP and higher NTDLL is no longer mapped into the system
process by default. You must read the ntdll from a “known”
process such as your user mode code. This means you can not
do this in DriverEntry.

That would explain it…thanks

Hi!

OK…so is ntdll memory mapped? If so, by whom?

By the process initialisation code. All PE files are memory-mapped, by
the way; like vanilla paged memory but backed by a separate file (except
for writable pages, of course, which are backed by the page file).

Does initialiazation (boot) code pull it in […]

Possibly. In my debug systems, there is no trace of ntdll.dll up there.
The address you give is in kernel space, where ntdll is not supposed to
be. Does your driver map it there? If not, who does? NTDLL has no
relocation info, if memory serves; so it shouldn’t ever load at any
address but just below the 2GB line, and I cannot see the OS doing that.

I am starting to suspect that the driver tries to map NTDLL into system
space … and gets it badly wrong. Is it trying to do that while in the
context of the system process (e.g., DriverEntry())?

If you absolutely must read NTDLL to get your hook info, the decent way
would be to have a user-mode app of yours call an IOCTL in your driver,
passing in the address of its “own” mapping of NTDLL (or you go looking
for it, same thing to me). That guarantees you a context in which NTDLL
is loaded and accessible (process initialised, not system process), and
that you are running at PASSIVE_LEVEL so you can touch user-mode memory.
You will, of course, have to do a non-trivial amount of work making sure
that nobody pulls out the rug from under you while you do that; drivers
that read NTDLL usually do not bother with little things like trying to
be exception-safe.

Cheers,
Felix.

Hi!

That is all well and good, but NTDLL isn’t supposed to float around in
kernel space in the first place. So my question wouldn’t be, has it been
kicked out? but rather, how did it get there?

Cheers,
Felix.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Friday, 6 August 2004 07:37
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

I had a same problem almost 2 yrs ago, when I found that win32k.sys on
xp
does not necessarily stay resident thruout the system session.
Basically,
I would suspect “how would you keep it(ntdll) resident” all along the
session"
is the thing you really need to shoot for. For us, IIRC, it was simple
to
create
a dummy window to keep refcnt or something, so that win32k.sys does not
slipout.

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Vossen, Joseph
(ISS Atlanta)
Sent: Friday, August 06, 2004 6:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] This unix guy (me) needs a little help…

Felix wrote a more detailed description.

It is always better to not use any hooks. If hook usage
is inevitable - then at least load as early as possible and
never unload. Consider your code to be a direct addon to NTOSKRNL.

I completely understand that and I as have mentioned before, this was
inherited code that will be changed once I become grounded. While this
is an issue, it does not answer the original question(s) of why I am
able to read memory during system initialization, but not later on after
the system has been running for some time. I am trying to understand
how the kernel handles modules like ntdll.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@mvps.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

> That is all well and good, but NTDLL isn’t supposed to float

around in kernel space in the first place. So my question
wouldn’t be, has it been kicked out? but rather, how did it get there?

Not by the driver so I’m not sure how or where it is loaded, just that
it is present. My (probably incorrect) assumption was that the kernel
needed to load it to initialize some tables, perhaps using ntdll as a
‘template’.

In a previous email you offered as a suggestion to use an IOCTL to pass
down the information…that sounds like a noble way to accomplish what
needs to be done

thanks

Note: NTDLL is the first file opened in the system, this open causes SystemRoot
to mount.

The reason is that the kernel needs the addresses of 3 NTDLL user-mode
routines - KiUserApc/Exception/CallbackDispatcher - to operate properly. These
addresses are extracted rather early.

be. Does your driver map it there? If not, who does? NTDLL has no
relocation info, if memory serves;

It has, at least on w2k, as also kernel32. The reason is (possibly) the /3GB
boot option.

If you absolutely must read NTDLL to get your hook info

I would suggest touching NTOSKRNL instead of NTDLL for hooks.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com