Is there any way from which we can know which driver( i.e. drivername or driver object pointer) invoked the specific system call?
I was thinking about hooking the syystem call function like PsCreateSystemThread etc. and invoking PsGetCurrentProcessId from Inside.
Your question doesn’t make a lot of sense. Typically ‘system call’
refers to an application request for OS services through a defined
API. Some drivers use the kernel version of the system service API,
but that is not the normal interface for drivers. Drivers also
typically do not own threads and are all generally part of the same
process address space, the system process, but may execute their code
in any thread and process context. Finally is a defined interfaces for
registering callback functions for thread creation, see
PsSetCreateThreadNotifyRoutine. No ‘hooking’ is required, however
having hooled thread creation, how is that going to aid your effort to
identify “which driver invoked the specific system call”?
Mark Roddy
On Wed, Nov 10, 2010 at 7:56 AM, wrote:
> Is there any way from which we can know which driver( i.e. drivername or driver object pointer) invoked the specific system call?
> I was thinking about hooking the syystem call function like PsCreateSystemThread etc. and invoking PsGetCurrentProcessId from Inside.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Thanks for the immediate answer!
It will help me a lot.I will definitely try it.
I saw that there is PsSetCreateProcessNotifyRoutine just like PsSetCreateThreadNotifyRoutine but the documentation of DDK & doesnot have ZwCreateProcess like its NT counterpart NtCreateProcess.
Is it really not there or undocumented or some other mechanism is used?
I was thinking about knowing who invoked a ZwXxx routine from inside like its processid or something from inside.Is it possible?
“Who” you mean which user? Well, if you hook anything, you can get the user token of the thread, or of the application (I prefer thread, though, it is more precise) - this is regarding applications and calls originated from user mode.
If you want to know particular driver who calls function, you will need to walk the stack, I guess.
Yes PsGetCurrentProcess does work.It returns the PEPROCESS for the process created.I was thinking for extracting PDRIVER_OBJECT or PRDEVICE_OBJECT from this.
I’ll say it again: your thinking is confused on this subject. There is
no PDRIVER_OBJECT or PDEVICE_OBJECT associated with a process object.
Drivers may or may not have their own threads, and if they do they are
generally threads belonging to the system process. More typically
driver code executes using an arbitrary thread belonging to an
arbitrary process, or less frequently to a specific user mode process
initiating a system service request.
Mark Roddy
On Fri, Nov 12, 2010 at 8:00 AM, wrote:
> Yes PsGetCurrentProcess does work.It returns the PEPROCESS for the process created.I was thinking for extracting PDRIVER_OBJECT ?or PRDEVICE_OBJECT from this.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>