Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Patch ur code into PE file. Then Update PE-File Entry point in Header to point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
It is not an option. First , permanently patching a OS system file is unprofesional. Second , I need my code fully relocatable and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
I don’t think that you can achieve this. Boot drivers are loaded before
NtMain is called, but they are not started. You can make your module a boot
driver, but its entry point will not be called before NtMain.The bootstrap
process (osloader) explicitly calls NtMain. Unless you intend to modify
either the kernel image or the bootstrap process, you have a problem with no
solution. I’m guessing however that whatever hideous thing you are trying to
do before the kernel actually starts can be done after the kernel starts.
Perhaps if you shared your actual objective we might be able to help.
Mark Roddy
Windows 2000/NT Consultant
Hollis Technology Solutions
xxxxx@hollistech.com
603 321 1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is
unprofesional. Second , I need my code fully relocatable and to export an
API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to
point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any
other OS modules , and execute it’s entry point. The main requirment is that
the entry point of my module is executed before NtMain() from ntoskrnl. Any
ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: xxxxx@tellink.net
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Without Patching the OS file or PE-File how u will get control ?
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 2:49 PM
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is unprofesional. Second , I need my code fully relocatable and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Ur code no need to change for every build. Just Get the entry point by reading the header of PE and patch ur code. The only condition is u have to patch System File.
Regards,
Satish K.S
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is unprofesional. Second , I need my code fully relocatable and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Thank you very much for you ideea , I apreciate it , but as I said — patching is not an option.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 3:04 PM
Subject: [ntdev] Re: Very early module load
Ur code no need to change for every build. Just Get the entry point by reading the header of PE and patch ur code. The only condition is u have to patch System File.
Regards,
Satish K.S
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is unprofesional. Second , I need my code fully relocatable and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Dan,
Mark gave you the best answer so far. Sorry, but that is “nope, can’t do
that”. At least not that way. what is it you want to do, or rather, what do
the boys and girls in mahogany row want you to do?
Gary
-----Original Message-----
From: Dan Partelly [mailto:danp@jb.rdsor.ro]
Sent: Friday, April 27, 2001 10:41 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Thank you very much for you ideea , I apreciate it , but as I said —
patching is not an option.
----- Original Message -----
From: Satish mailto:xxxxx
To: NT Developers mailto:xxxxx Interest List
Sent: Friday, April 27, 2001 3:04 PM
Subject: [ntdev] Re: Very early module load
Ur code no need to change for every build. Just Get the entry point by
reading the header of PE and patch ur code. The only condition is u have to
patch System File.
Regards,
Satish K.S
-----Original Message-----
From: xxxxx@lists.osr.com
mailto:xxxxx [
mailto:xxxxx@lists.osr.com
mailto:xxxxx]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is
unprofesional. Second , I need my code fully relocatable and to export an
API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish mailto:xxxxx
To: NT mailto:xxxxx Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to
point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp mailto:danp
To: NT mailto:xxxxx Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other
OS modules , and execute it’s entry point. The main requirment is that the
entry point of my module is executed before NtMain() from ntoskrnl. Any
ideeas are apreciated.
Best regards , Dan
—
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@tellink.net
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:danp></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
You can always frig the boot! Look at the LILO source code, that might give
you some ideas.
Alberto
-----Original Message-----
From: Gary Little [mailto:xxxxx@Broadstor.com]
Sent: Friday, April 27, 2001 3:02 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Dan,
Mark gave you the best answer so far. Sorry, but that is “nope, can’t do
that”. At least not that way. what is it you want to do, or rather, what do
the boys and girls in mahogany row want you to do?
Gary
-----Original Message-----
From: Dan Partelly [mailto:danp@jb.rdsor.ro]
Sent: Friday, April 27, 2001 10:41 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Thank you very much for you ideea , I apreciate it , but as I said —
patching is not an option.
----- Original Message -----
From: Satish mailto:xxxxx
To: NT Developers mailto:xxxxx Interest List
Sent: Friday, April 27, 2001 3:04 PM
Subject: [ntdev] Re: Very early module load
Ur code no need to change for every build. Just Get the entry point by
reading the header of PE and patch ur code. The only condition is u have to
patch System File.
Regards,
Satish K.S
-----Original Message-----
From: xxxxx@lists.osr.com
mailto:xxxxx [
mailto:xxxxx@lists.osr.com
mailto:xxxxx]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is
unprofesional. Second , I need my code fully relocatable and to export an
API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish mailto:xxxxx
To: NT mailto:xxxxx Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to
point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp mailto:danp
To: NT mailto:xxxxx Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other
OS modules , and execute it’s entry point. The main requirment is that the
entry point of my module is executed before NtMain() from ntoskrnl. Any
ideeas are apreciated.
Best regards , Dan
—
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@tellink.net
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:danp></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
Move either NTLDR, NTDETECT or even NTOSKRNL.EXE from their normal
location. Put
your surrogate with the same name there, and have your code then call the
real thing, making
sure you pass the same parameters. But first you have to know what you’re
doing regarding the
boot process. By the way, NTLDR and NTDetect are arranged like com files,
while NTOSKRNL
is of course a normal .exe.
George Blat
At 08:41 PM 4/27/01 +0300, you wrote:
Thank you very much for you ideea , I apreciate it , but as I said —
patching is not an option.
>----- Original Message -----
>From: mailto:xxxxxSatish
>>To: mailto:xxxxxNT Developers Interest List
>>Sent: Friday, April 27, 2001 3:04 PM
>>Subject: [ntdev] Re: Very early module load
>>
>>Ur code no need to change for every build. Just Get the entry point by
>>reading the header of PE and patch ur code. The only condition is u have
>>to patch System File.
>>
>>Regards,
>>Satish K.S
>>
>>>>-----Original Message-----
>>>>From:
>>>>mailto:xxxxxxxxxx@lists.osr.com
>>>>[mailto:xxxxx@lists.osr.com]On Behalf Of danp
>>>>Sent: Friday, April 27, 2001 5:20 AM
>>>>To: NT Developers Interest List
>>>>Subject: [ntdev] Re: Very early module load
>>>>
>>>>It is not an option. First , permanently patching a OS system file is
>>>>unprofesional. Second , I need my code fully relocatable and to export
>>>>an API trough standard PE export mechanism.
>>>>Third , II dont really wana adapt my code to every new build of ntoskrnl.
>>>>>----- Original Message -----
>>>>>From: mailto:xxxxxSatish
>>>>>To: mailto:xxxxxNT Developers Interest List
>>>>>Sent: Friday, April 27, 2001 11:51 AM
>>>>>Subject: [ntdev] Re: Very early module load
>>>>>
>>>>>Patch ur code into PE file. Then Update PE-File Entry point in Header
>>>>>to point to ur Code. U will get control first then return to original code.
>>>>>
>>>>>Regards,
>>>>>Satish K.S
>>>>>>----- Original Message -----
>>>>>>From: mailto:danpdanp
>>>>>>To: mailto:xxxxxNT Developers Interest List
>>>>>>Sent: Friday, April 27, 2001 1:56 PM
>>>>>>Subject: [ntdev] Very early module load
>>>>>>
>>>>>>Hi ppl
>>>>>>
>>>>>>Im looking to insert a PE module into system address space before any
>>>>>>other OS modules , and execute it’s entry point. The main requirment
>>>>>>is that the entry point of my module is executed before NtMain() from
>>>>>>ntoskrnl. Any ideeas are apreciated.
>>>>>>
>>>>>>
>>>>>>Best regards , Dan
>>>>>>
>>>>>>
>>>>>>—
>>>>>>You are currently subscribed to ntdev as: xxxxx@aalayance.com
>>>>>>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>>>>—
>>>>>You are currently subscribed to ntdev as: danp@jb.rdsor.ro
>>>>>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>>>—
>>>>You are currently subscribed to ntdev as: xxxxx@tellink.net
>>>>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>>—
>>>You are currently subscribed to ntdev as: xxxxx@aalayance.com
>>>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>—
>>You are currently subscribed to ntdev as: danp@jb.rdsor.ro
>>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>—
>You are currently subscribed to ntdev as: xxxxx@ntrealtime.com
>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:danp></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
Similar idea without patching: rename ntoskrnl.exe and create a thin wrapper
named ntoskrnl.exe with the same export table. All exports would call
original functions in renamed ntoskrnl. Such a wrapper can be generated
during your software install (we used this way when needed to hook some OS
code). Wrapper would call your code when necessary. You can even avoid
renaming and use /kernel= boot.ini option to load the wrapper.
Best regards,
Michal Vodicka
Veridicom
(RKK - Skytale)
[WWW: http://www.veridicom.com , http://www.skytale.com]
From: Dan Partelly[SMTP:danp@jb.rdsor.ro]
Reply To: NT Developers Interest List
Sent: Friday, April 27, 2001 7:41 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module loadThank you very much for you ideea , I apreciate it , but as I said —
patching is not an option.----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 3:04 PM
Subject: [ntdev] Re: Very early module loadUr code no need to change for every build. Just Get the entry point
by reading the header of PE and patch ur code. The only condition is u
have to patch System File.Regards,
Satish K.S-----Original Message-----
From: xxxxx@lists.osr.com [
mailto:xxxxx@lists.osr.com]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module loadIt is not an option. First , permanently patching a
OS system file is unprofesional. Second , I need my code fully relocatable
and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every
new build of ntoskrnl.----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module loadPatch ur code into PE file. Then Update PE-File
Entry point in Header to point to ur Code. U will get control first then
return to original code.Regards,
Satish K.S----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module loadHi ppl
Im looking to insert a PE module into system address
space before any other OS modules , and execute it’s entry point. The main
requirment is that the entry point of my module is executed before
NtMain() from ntoskrnl. Any ideeas are apreciated.Best regards , Dan
You are currently subscribed to ntdev as:
xxxxx@aalayance.com
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as:
danp@jb.rdsor.ro
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as:
xxxxx@tellink.net
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as:
xxxxx@aalayance.com
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@rkk.cz
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
What they want me to do ? Insert a custom debug code into kernel. However , making it to execute before NtMain() was a bet I took with a firend , is not really necesary.
An ideea which crossed my mind now is to force ntldr to load another small loader via /kernel switch , instead of ntoskrnl
and use this small snipet of code to . With a bit a lack , then I might be able to map myself the real kernel , and call the
entry point of my module. This will require some osloader hacking , but Ill try it to doit completly runtime. I hope to erase
“nope , cant do that” assumption. Lets hope Ill manage too.
The boot ideea is good too , but it would require me to write a hughe ammount of virtualization code , so the protected mode osloader would run under my own “virtual machine” monitor.
Thx to all who throwed their ideeas in.
----- Original Message -----
From: Moreira, Alberto
To: NT Developers Interest List
Sent: Friday, April 27, 2001 10:49 PM
Subject: [ntdev] Re: Very early module load
You can always frig the boot! Look at the LILO source code, that might give you some ideas.
Alberto
-----Original Message-----
From: Gary Little [mailto:xxxxx@Broadstor.com]
Sent: Friday, April 27, 2001 3:02 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Dan,
Mark gave you the best answer so far. Sorry, but that is “nope, can’t do that”. At least not that way. what is it you want to do, or rather, what do the boys and girls in mahogany row want you to do?
Gary
-----Original Message-----
From: Dan Partelly [mailto:danp@jb.rdsor.ro]
Sent: Friday, April 27, 2001 10:41 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Thank you very much for you ideea , I apreciate it , but as I said — patching is not an option.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 3:04 PM
Subject: [ntdev] Re: Very early module load
Ur code no need to change for every build. Just Get the entry point by reading the header of PE and patch ur code. The only condition is u have to patch System File.
Regards,
Satish K.S
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of danp
Sent: Friday, April 27, 2001 5:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
It is not an option. First , permanently patching a OS system file is unprofesional. Second , I need my code fully relocatable and to export an API trough standard PE export mechanism.
Third , II dont really wana adapt my code to every new build of ntoskrnl.
----- Original Message -----
From: Satish
To: NT Developers Interest List
Sent: Friday, April 27, 2001 11:51 AM
Subject: [ntdev] Re: Very early module load
Patch ur code into PE file. Then Update PE-File Entry point in Header to point to ur Code. U will get control first then return to original code.
Regards,
Satish K.S
----- Original Message -----
From: danp
To: NT Developers Interest List
Sent: Friday, April 27, 2001 1:56 PM
Subject: [ntdev] Very early module load
Hi ppl
Im looking to insert a PE module into system address space before any other OS modules , and execute it’s entry point. The main requirment is that the entry point of my module is executed before NtMain() from ntoskrnl. Any ideeas are apreciated.
Best regards , Dan
You are currently subscribed to ntdev as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Yes , thx a lot. Good idea.
----- Original Message -----
From: “Vodicka, Michal”
To: “NT Developers Interest List”
Sent: Saturday, April 28, 2001 12:16 AM
Subject: [ntdev] Re: Very early module load
> Similar idea without patching: rename ntoskrnl.exe and create a thin
wrapper
> named ntoskrnl.exe with the same export table. All exports would call
> original functions in renamed ntoskrnl. Such a wrapper can be generated
> during your software install (we used this way when needed to hook some OS
> code). Wrapper would call your code when necessary. You can even avoid
> renaming and use /kernel= boot.ini option to load the wrapper.
>
> Best regards,
>
> Michal Vodicka
> Veridicom
> (RKK - Skytale)
> [WWW: http://www.veridicom.com , http://www.skytale.com]
>
>
>
> > ----------
> > From: Dan Partelly[SMTP:danp@jb.rdsor.ro]
> > Reply To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 7:41 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Very early module load
> >
> > Thank you very much for you ideea , I apreciate it , but as I said —
> > patching is not an option.
> >
> > ----- Original Message -----
> > From: Satish
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 3:04 PM
> > Subject: [ntdev] Re: Very early module load
> >
> > Ur code no need to change for every build. Just Get the entry point
> > by reading the header of PE and patch ur code. The only condition is u
> > have to patch System File.
> >
> > Regards,
> > Satish K.S
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com [
> > mailto:xxxxx@lists.osr.com]On Behalf Of danp
> > Sent: Friday, April 27, 2001 5:20 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Very early module load
> >
> >
> > It is not an option. First , permanently patching a
> > OS system file is unprofesional. Second , I need my code fully
relocatable
> > and to export an API trough standard PE export mechanism.
> > Third , II dont really wana adapt my code to every
> > new build of ntoskrnl.
> >
> > ----- Original Message -----
> > From: Satish
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 11:51 AM
> > Subject: [ntdev] Re: Very early module load
> >
> > Patch ur code into PE file. Then Update PE-File
> > Entry point in Header to point to ur Code. U will get control first then
> > return to original code.
> >
> > Regards,
> > Satish K.S
> >
> > ----- Original Message -----
> > From: danp
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 1:56 PM
> > Subject: [ntdev] Very early module load
> >
> >
> > Hi ppl
> >
> > Im looking to insert a PE module into system address
> > space before any other OS modules , and execute it’s entry point. The
main
> > requirment is that the entry point of my module is executed before
> > NtMain() from ntoskrnl. Any ideeas are apreciated.
> >
> >
> > Best regards , Dan
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@aalayance.com
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > danp@jb.rdsor.ro
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@tellink.net
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@aalayance.com
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as: danp@jb.rdsor.ro
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rkk.cz
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
> —
> You are currently subscribed to ntdev as: danp@jb.rdsor.ro
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hi All,
Can someone post a sample of patching the ntoskrnl.exe with the custom code?
I recall seeing it somewhere, it had to do with reading the exe header or
something, but I’m not sure.
Thanx,
Stas,
Powernet.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Saturday, April 28, 2001 12:27 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Very early module load
Yes , thx a lot. Good idea.
----- Original Message -----
From: “Vodicka, Michal”
To: “NT Developers Interest List”
Sent: Saturday, April 28, 2001 12:16 AM
Subject: [ntdev] Re: Very early module load
> Similar idea without patching: rename ntoskrnl.exe and create a thin
wrapper
> named ntoskrnl.exe with the same export table. All exports would call
> original functions in renamed ntoskrnl. Such a wrapper can be generated
> during your software install (we used this way when needed to hook some OS
> code). Wrapper would call your code when necessary. You can even avoid
> renaming and use /kernel= boot.ini option to load the wrapper.
>
> Best regards,
>
> Michal Vodicka
> Veridicom
> (RKK - Skytale)
> [WWW: http://www.veridicom.com , http://www.skytale.com]
>
>
>
> > ----------
> > From: Dan Partelly[SMTP:danp@jb.rdsor.ro]
> > Reply To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 7:41 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Very early module load
> >
> > Thank you very much for you ideea , I apreciate it , but as I said —
> > patching is not an option.
> >
> > ----- Original Message -----
> > From: Satish
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 3:04 PM
> > Subject: [ntdev] Re: Very early module load
> >
> > Ur code no need to change for every build. Just Get the entry point
> > by reading the header of PE and patch ur code. The only condition is u
> > have to patch System File.
> >
> > Regards,
> > Satish K.S
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com [
> > mailto:xxxxx@lists.osr.com]On Behalf Of danp
> > Sent: Friday, April 27, 2001 5:20 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Very early module load
> >
> >
> > It is not an option. First , permanently patching a
> > OS system file is unprofesional. Second , I need my code fully
relocatable
> > and to export an API trough standard PE export mechanism.
> > Third , II dont really wana adapt my code to every
> > new build of ntoskrnl.
> >
> > ----- Original Message -----
> > From: Satish
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 11:51 AM
> > Subject: [ntdev] Re: Very early module load
> >
> > Patch ur code into PE file. Then Update PE-File
> > Entry point in Header to point to ur Code. U will get control first then
> > return to original code.
> >
> > Regards,
> > Satish K.S
> >
> > ----- Original Message -----
> > From: danp
> > To: NT Developers Interest List
> > Sent: Friday, April 27, 2001 1:56 PM
> > Subject: [ntdev] Very early module load
> >
> >
> > Hi ppl
> >
> > Im looking to insert a PE module into system address
> > space before any other OS modules , and execute it’s entry point. The
main
> > requirment is that the entry point of my module is executed before
> > NtMain() from ntoskrnl. Any ideeas are apreciated.
> >
> >
> > Best regards , Dan
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@aalayance.com
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > danp@jb.rdsor.ro
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@tellink.net
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@aalayance.com
> > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as: danp@jb.rdsor.ro
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rkk.cz
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
> —
> You are currently subscribed to ntdev as: danp@jb.rdsor.ro
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: xxxxx@powernetsys.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com