My question is if anybody know how to implement the equivalent of the function VirtualQueryEx() in kernel mode.
I know that some functions are not exported by name from the kernel (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
“A driver can solve this problem in two different ways. It can be linked against NTDLL.DLL(A driver can be linked to a dll?), which is the easiest way. The other possibility is to develop a function similar to the user-mode GetProcAddress()with some important differences that can get the function ID of a particular NT service by traversing the export table of the NTDLL.DLL in the system context. Such a function can pick up the NT service function ID, which is placed into the EAX register with a MOV instruction at the entry point on IA32 systems. This way the driver can specify the correct address of the function inside the Windows NT executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
A Sample Service Call on NT on IA32:
mov eax,14h ; NtCreateFile ID
lea edx,[esp+arg_0]
int 2Eh
ret 2Ch
And what happen with sysenter instruction in XP?
Which of this two options is better? And please, how to do it in my driver?
Some sample code will be appreciated. Thanks in advanced.
Yahoo! for Good
Click here to donate to the Hurricane Katrina relief effort.
Before answering the question, why do you even need this in the first place? Why can’t you relegate this functionality to a UM process?
d
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of yohamnes hernandez
Sent: Saturday, September 24, 2005 10:43 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] VirtualQueryEx() in kernel mode
My question is if anybody know how to implement the equivalent of the function VirtualQueryEx() in kernel mode.
?
?I know that some functions are not exported by name from the kernel (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
?
“A driver can solve this problem in two different ways. It can be linked against NTDLL.DLL
(A driver can be linked to a dll?), which is the easiest way. The other possibility is to develop a function similar to the user-mode GetProcAddress()with some important differences that can get the function ID of a particular NT service by traversing the export table of the NTDLL.DLL in the system context. Such a function can pick up the NT service function ID, which is placed into the EAX register with a MOV instruction at the entry point on IA32 systems. This way the driver can specify the correct address of the function inside the Windows NT executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
?
A Sample Service Call on NT on IA32:
?
mov?? eax,14h?; NtCreateFile ID
lea?? edx,[esp+arg_0]
int?? 2Eh
ret?? 2Ch
?
And what happen with sysenter instruction in XP?
Which of this two options is better? And please, how to do it in my driver?
?
Some sample code will be appreciated. Thanks in advanced.
Yahoo! for Good
Click here to donate to the Hurricane Katrina relief effort. — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
Who ever you are quoting, ignore anything they ever say from now on.
Mucking with the system service table in anyway is a EXTREMELY STUPID IDEA.
Remember that these calls get renumbered pretty often, so your example is
going to crash.
Now what are you trying to get out of this call, there is a lot of this data
available in the kernel through other means.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“yohamnes hernandez” wrote in message
news:xxxxx@ntdev…
> My question is if anybody know how to implement the equivalent of the
> function VirtualQueryEx() in kernel mode.
>
> I know that some functions are not exported by name from the kernel
> (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode
> application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is
> redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
>
> “A driver can solve this problem in two different ways. It can be linked
> against NTDLL.DLL(A driver can be linked to a dll?), which is the easiest
> way. The other possibility is to develop a function similar to the
> user-mode GetProcAddress()with some important differences that can get the
> function ID of a particular NT service by traversing the export table of
> the NTDLL.DLL in the system context. Such a function can pick up the NT
> service function ID, which is placed into the EAX register with a MOV
> instruction at the entry point on IA32 systems. This way the driver can
> specify the correct address of the function inside the Windows NT
> executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
>
>
> A Sample Service Call on NT on IA32:
>
> mov eax,14h ; NtCreateFile ID
> lea edx,[esp+arg_0]
> int 2Eh
> ret 2Ch
>
> And what happen with sysenter instruction in XP?
>
> Which of this two options is better? And please, how to do it in my
> driver?
>
> Some sample code will be appreciated. Thanks in advanced.
>
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
I am studying the book: “The art of computer virus research and defense” by Peter Szor
with the purpose of implement a memory scanning engine in kernel mode and i need to know which pages of the virtual memory space are really in use by the target process and by the way reduce the page faults.
Don Burn wrote:
Who ever you are quoting, ignore anything they ever say from now on.
Mucking with the system service table in anyway is a EXTREMELY STUPID IDEA.
Remember that these calls get renumbered pretty often, so your example is
going to crash.
Now what are you trying to get out of this call, there is a lot of this data
available in the kernel through other means.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“yohamnes hernandez” wrote in message
news:xxxxx@ntdev…
> My question is if anybody know how to implement the equivalent of the
> function VirtualQueryEx() in kernel mode.
>
> I know that some functions are not exported by name from the kernel
> (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode
> application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is
> redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
>
> “A driver can solve this problem in two different ways. It can be linked
> against NTDLL.DLL(A driver can be linked to a dll?), which is the easiest
> way. The other possibility is to develop a function similar to the
> user-mode GetProcAddress()with some important differences that can get the
> function ID of a particular NT service by traversing the export table of
> the NTDLL.DLL in the system context. Such a function can pick up the NT
> service function ID, which is placed into the EAX register with a MOV
> instruction at the entry point on IA32 systems. This way the driver can
> specify the correct address of the function inside the Windows NT
> executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
>
>
> A Sample Service Call on NT on IA32:
>
> mov eax,14h ; NtCreateFile ID
> lea edx,[esp+arg_0]
> int 2Eh
> ret 2Ch
>
> And what happen with sysenter instruction in XP?
>
> Which of this two options is better? And please, how to do it in my
> driver?
>
> Some sample code will be appreciated. Thanks in advanced.
>
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Yeah, he is the Symantec guy, most of view their anti-virus software as a
virus.
I have Symantec on one of my systems, this is the least stable system I
have, and most of the core dump indicate it was Symatec’s fault.
As Doron suggested doing some of this is user space makes the most sense.
Also, you can use PsSetLoadImageNotify to map a lot of this, and
ProbeForRead/ProbeForWrite to handle the rest. Bottom line, is do not try
to muck through the system call table, it will just destabilize things.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“yohamnes hernandez” wrote in message
news:xxxxx@ntdev…
>I am studying the book: “The art of computer virus research and defense” by
>Peter Szor
> with the purpose of implement a memory scanning engine in kernel mode and
> i need to know which pages of the virtual memory space are really in use
> by the target process and by the way reduce the page faults.
>
>
>
> Don Burn wrote:
> Who ever you are quoting, ignore anything they ever say from now on.
> Mucking with the system service table in anyway is a EXTREMELY STUPID
> IDEA.
> Remember that these calls get renumbered pretty often, so your example is
> going to crash.
>
> Now what are you trying to get out of this call, there is a lot of this
> data
> available in the kernel through other means.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
>
> “yohamnes hernandez” wrote in message
> news:xxxxx@ntdev…
>> My question is if anybody know how to implement the equivalent of the
>> function VirtualQueryEx() in kernel mode.
>>
>> I know that some functions are not exported by name from the kernel
>> (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode
>> application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is
>> redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
>>
>> “A driver can solve this problem in two different ways. It can be linked
>> against NTDLL.DLL(A driver can be linked to a dll?), which is the easiest
>> way. The other possibility is to develop a function similar to the
>> user-mode GetProcAddress()with some important differences that can get
>> the
>> function ID of a particular NT service by traversing the export table of
>> the NTDLL.DLL in the system context. Such a function can pick up the NT
>> service function ID, which is placed into the EAX register with a MOV
>> instruction at the entry point on IA32 systems. This way the driver can
>> specify the correct address of the function inside the Windows NT
>> executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
>>
>>
>> A Sample Service Call on NT on IA32:
>>
>> mov eax,14h ; NtCreateFile ID
>> lea edx,[esp+arg_0]
>> int 2Eh
>> ret 2Ch
>>
>> And what happen with sysenter instruction in XP?
>>
>> Which of this two options is better? And please, how to do it in my
>> driver?
>>
>> Some sample code will be appreciated. Thanks in advanced.
>>
>>
>> ---------------------------------
>> Yahoo! for Good
>> Click here to donate to the Hurricane Katrina relief effort.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@yahoo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
Just now I look in the DDK help and found that functions. Then the suggestion is detect when an executable image is loaded with my PsLoadImageNotyfy routine and then do ProbeForRead for all the process memory and is the address is valid then search for malware .( Sorry if this is not the idea, and for my english too )
And what about if i want scan all the virtual memory like various antivirus products do?
I continued thinking in a way that give to me the same result that VirtualQueryEx() in user mode.
Thanks for reply so fast. I really need help.
Don Burn wrote:
Yeah, he is the Symantec guy, most of view their anti-virus software as a
virus.
I have Symantec on one of my systems, this is the least stable system I
have, and most of the core dump indicate it was Symatec’s fault.
As Doron suggested doing some of this is user space makes the most sense.
Also, you can use PsSetLoadImageNotify to map a lot of this, and
ProbeForRead/ProbeForWrite to handle the rest. Bottom line, is do not try
to muck through the system call table, it will just destabilize things.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“yohamnes hernandez” wrote in message
news:xxxxx@ntdev…
>I am studying the book: “The art of computer virus research and defense” by
>Peter Szor
> with the purpose of implement a memory scanning engine in kernel mode and
> i need to know which pages of the virtual memory space are really in use
> by the target process and by the way reduce the page faults.
>
>
>
> Don Burn wrote:
> Who ever you are quoting, ignore anything they ever say from now on.
> Mucking with the system service table in anyway is a EXTREMELY STUPID
> IDEA.
> Remember that these calls get renumbered pretty often, so your example is
> going to crash.
>
> Now what are you trying to get out of this call, there is a lot of this
> data
> available in the kernel through other means.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
>
> “yohamnes hernandez” wrote in message
> news:xxxxx@ntdev…
>> My question is if anybody know how to implement the equivalent of the
>> function VirtualQueryEx() in kernel mode.
>>
>> I know that some functions are not exported by name from the kernel
>> (NTOSKRNL.EXE) for the use of a kernel-mode driver. When a user-mode
>> application calls the VirtualQueryEx() API in KERNEL32.DLL, the call is
>> redirected to the NtQueryVirtualMemory() API in NTDLL.DLL.
>>
>> “A driver can solve this problem in two different ways. It can be linked
>> against NTDLL.DLL(A driver can be linked to a dll?), which is the easiest
>> way. The other possibility is to develop a function similar to the
>> user-mode GetProcAddress()with some important differences that can get
>> the
>> function ID of a particular NT service by traversing the export table of
>> the NTDLL.DLL in the system context. Such a function can pick up the NT
>> service function ID, which is placed into the EAX register with a MOV
>> instruction at the entry point on IA32 systems. This way the driver can
>> specify the correct address of the function inside the Windows NT
>> executive (NTOSKRNL.EXE ) as KeServiceDescriptorTable+NtServiceID.”
>>
>>
>> A Sample Service Call on NT on IA32:
>>
>> mov eax,14h ; NtCreateFile ID
>> lea edx,[esp+arg_0]
>> int 2Eh
>> ret 2Ch
>>
>> And what happen with sysenter instruction in XP?
>>
>> Which of this two options is better? And please, how to do it in my
>> driver?
>>
>> Some sample code will be appreciated. Thanks in advanced.
>>
>>
>> ---------------------------------
>> Yahoo! for Good
>> Click here to donate to the Hurricane Katrina relief effort.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@yahoo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Yahoo! for Good
Click here to donate to the Hurricane Katrina relief effort.
I guess I’m trying to understand why you want a kernel component to do this?
You actually can do it all from a user space service, this has the advantage
of if something does go wrong you don’t crash the system.
Mucking with memory mapping you are not sure of is one of the most likely
ways to bugcheck a driver. If you did use this call, there is nothing to
guarantee the memory regions are valid by the time you get around to the
check, so walking them is a great way to cause an access fault and crash the
system. Note there is also no way to guarantee that after the call built
the table, but before you look at it, that another piece of memory is not
added to the process containing the virus.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“yohamnes hernandez” wrote in message
news:xxxxx@ntdev…
> Just now I look in the DDK help and found that functions. Then the
> suggestion is detect when an executable image is loaded with my
> PsLoadImageNotyfy routine and then do ProbeForRead for all the process
> memory and is the address is valid then search for malware .( Sorry if
> this is not the idea, and for my english too )
>
> And what about if i want scan all the virtual memory like various
> antivirus products do?
>
> I continued thinking in a way that give to me the same result that
> VirtualQueryEx() in user mode.
>
> Thanks for reply so fast. I really need help.
>