From: Cunningham, Owen [Owen.Cunningham@fmr.com]
Sent: Wednesday, November 14, 2001 8:54 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc
ript orTable

The invocation of interrupt 2F used to be the second instruction of every
NTDLL export (with the first instruction loading the system service call
number into the EAX register). In XP it would appear that now the NTDLL
export mills around for a few instructions before jumping to an entirely
different location in the DLL, at which point the interrupt gets invoked. (I
can't really see any value in this change other than making it harder for
people to do what you're trying to do....)

> -----Original Message-----
> From:	Jeremy Kercheval [SMTP:jkercheval@expressmetrix.com]
> Sent:	Wednesday, November 14, 2001 8:08 PM
> To:	NT Developers Interest List
> Subject:	[ntdev] RE: Kernel mode device driver problem -
> KeServiceDescript     orTable
> 
> Michal,
> Thanks for the response, unfortunately I don't entirely understand what
> you have given me here.  I'm not trying to be stupid, but I don't have a
> lot of experience with the kernel. 
> Is the first section how NT used to enter the kernel, and the second
> part the new way?  I'm not sure how I would change my GetThunkCode based
> on the below information.
> 
> Jeremy
> 
> -----Original Message-----
> From: bounce-ntdev-6996@lists.osr.com
> [mailto:bounce-ntdev-6996@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Wednesday, November 14, 2001 3:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: Kernel mode device driver problem -
> KeServiceDescript orTable
> 
> 
> Yes, XP changed the way to enter kernel:
> 
> :u ZwCreateProcess
> _NtCreateProcess
> 001B:77F7E6A3  B82F000000          MOV       EAX,0000002F
> 001B:77F7E6A8  BA0003FE7F          MOV       EDX,7FFE0300
> 001B:77F7E6AD  FFD2                CALL      EDX
> 001B:77F7E6AF  C22000              RET       0020
> 
> :u 7FFE0300
> 001B:7FFE0300  8BD4                MOV       EDX,ESP
> 001B:7FFE0302  0F34                SYSENTER
> 001B:7FFE0304  C3                  RET
> 
> Just change your GetThunkCode a bit and check OS to see what version to
> use.
> 
> As for driver crash; if you're doing such a change, you should see why
> it crashes. If memory protection causes it, examine and try to change WP
> bit in CR0.
> 
> Best regards,
> 
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o. [michal.vodicka@st.com,
> http:://www.st.com]
> 
> > ----------
> > From: jkercheval@expressmetrix.com[SMTP:jkercheval@expressmetrix.com]
> > Reply To: 	ntdev@lists.osr.com
> > Sent: 	Wednesday, November 14, 2001 10:14 PM
> > To: 	ntdev@lists.osr.com
> > Subject: 	[ntdev] Kernel mode device driver problem -
> > KeServiceDescriptorTable
> > 
> > I have an app and driver that works on NT4 through Windows 2000 SP2 
> > that fails on Windows XP.  In user mode we would call GetProcAddress 
> > as
> > follows:
> > 
> > BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG ntParams); 
> > HMODULE hNtDll; FARPROC pFunc;
> > 
> > ----	
> > if (hNtDll = LoadLibrary("NTDLL.DLL"))
> > {
> > 	if ((pFunc = GetProcAddress(hNtDll,"ZwCreateProcess")) == NULL
> > || 
> > 	
> > !GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode, 
> > 		&pInitBlock->CreateProcessHookBlock.ParamCount))
> > 	{
> > 		FreeLibrary(hNtDll);
> > 		return 0;
> > 	}
> > }
> > ----
> > This would get the address of the function in ntdll, we would then 
> > extract the service id and number of bytes required for the parameters
> 
> > using the below function:
> > ---
> > static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> > ntParams)
> > {
> > #pragma pack(1)
> > 	typedef struct _NTFUNC_BLOCK
> > 	{
> > 		UCHAR	moveeax;
> > 		ULONG	thunkCode;
> > 		UCHAR	stuff[4];
> > 		UCHAR	insint;
> > 		UCHAR	vector;
> > 		UCHAR	insret;
> > 		USHORT	params;
> > 	}
> > 	* PNTFUNC_BLOCK;
> > 	PNTFUNC_BLOCK	pNtFunc;
> > #pragma pack()
> > 
> > 	pNtFunc = (PNTFUNC_BLOCK) funcPtr;
> > 	if (pNtFunc->moveeax != 0xb8)
> > 		return FALSE;
> > 	if (pNtFunc->insint != 0xcd)
> > 		return FALSE;
> > 	if (pNtFunc->vector != 0x2e)
> > 		return FALSE;
> > 	if (pNtFunc->insret != 0xc2)
> > 		return FALSE;
> > 	*ntCode = pNtFunc->thunkCode;
> > 	*ntParams = pNtFunc->params/sizeof(ULONG);
> > 	return TRUE;
> > }
> > ---
> > 
> > The problem is that the function no longer returns the information the
> 
> > same way that it used to.  We would then pass this information 
> > (thunkCode and number of params) to the driver which would hook into 
> > the KeServiceDescriptorTable replacing the real CreateProcess function
> 
> > with our own.
> > 
> > Also, when I try to write to the KeServiceDescriptorTable at any 
> > serviceID, the driver immediately crashes.  Did XP change the memory 
> > protection of the KeServiceDescriptorTable?
> > 
> > In short, the address that we get back from GetProcAddress no longer 
> > has the same format - does anyone know the new format?  If I can find 
> > the correct ServiceID for the KeServiceDescriptorTable, can I still 
> > replace the old address with a new one, or is it protected memory now?
> > 
> > Thanks,
> > Jeremy
> > 
> > 
> > ---
> > You are currently subscribed to ntdev as: michal.vodicka@st.com To 
> > unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> > 
> 
> ---
> You are currently subscribed to ntdev as: jkercheval@expressmetrix.com
> To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> 
> 
> ---
> You are currently subscribed to ntdev as: owen.cunningham@fmr.com
> To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com

---
You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com
To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com