How to Call Ntxxx APIs from Kernel?
in [Win32 Kernel]
|
From: sarshah20 on 9 Apr 2010 04:23 Hi All, I am trying to call Ntxxx (e.g. NtCreateFile) routines from a driver i have written. I tried two ways. 1- Simply call the routine as you would call any other system routine while in kernel. 2- Recalculate addresses from ntoskernl.exe. These addresses are of various calls SSDT is pointing to. Then use these addresses to call required routine. (got code to calculate addresses from a website) In both cases, the call to Ntxxx is not successful. So the question is: - How to call Ntxxx using both ways (above)? Is it possible? I only get a failure error in return. I am able to call Zwxxx APIs successfully from this driver. Let me know if I need to add any more details in case there is ambiguity. Thanks for your help. sarshah.
From: rogero on 9 Apr 2010 05:24 On Apr 9, 9:23 am, sarsha...(a)yahoo.com wrote: > Hi All, > > I am trying to call Ntxxx (e.g. NtCreateFile) routines from a driver i > have written. I tried two ways. Why are you trying to do this? Just use the Zw functions. Roger.
From: sarshah20 on 9 Apr 2010 06:50 Thanks Roger. Consider the scenario where SSDT is modified by a malware and important calls are hooked. I calculate original system routine addresses from ntoskernl.exe. At this stage, i cant/dont want to restore SSDT. Instead i want to use these calculated (original) addresses to make a direct call. Addresses calculated from ntoskrnl.exe are of Ntxxx APIs. I dont have the option to restore SSDT otherwise i would have restored them and simply made a call to equivalent Zwxxx routine. sarshah. On Apr 9, 2:24 pm, rogero <roger....(a)gmail.com> wrote: > On Apr 9, 9:23 am, sarsha...(a)yahoo.com wrote: > > > Hi All, > > > I am trying to call Ntxxx (e.g. NtCreateFile) routines from a driver i > > have written. I tried two ways. > > Why are you trying to do this? > Just use the Zw functions. > > Roger.
From: Don Burn on 9 Apr 2010 08:25 There is no way around the general problem. But for your specific example don't use the Nt or Zw calls but instead use IoCreateFile which bypasses the SSDT. This really is pretty useless to do, if you detect MALWARE in the system you are pretty hosed. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr > -----Original Message----- > From: sarshah20(a)yahoo.com [mailto:sarshah20(a)yahoo.com] > Posted At: Friday, April 09, 2010 6:50 AM > Posted To: microsoft.public.win32.programmer.kernel > Conversation: How to Call Ntxxx APIs from Kernel? > Subject: Re: How to Call Ntxxx APIs from Kernel? > > Thanks Roger. > > Consider the scenario where SSDT is modified by a malware and important calls > are hooked. I calculate original system routine addresses from ntoskernl.exe. > At this stage, i cant/dont want to restore SSDT. Instead i want to use these > calculated (original) addresses to make a direct call. Addresses calculated > from ntoskrnl.exe are of Ntxxx APIs. I dont have the option to restore SSDT > otherwise i would have restored them and simply made a call to equivalent > Zwxxx routine. > > sarshah. > > > On Apr 9, 2:24�pm, rogero <roger....(a)gmail.com> wrote: > > On Apr 9, 9:23�am, sarsha...(a)yahoo.com wrote: > > > > > Hi All, > > > > > I am trying to call Ntxxx (e.g. NtCreateFile) routines from a driver > > > i have written. I tried two ways. > > > > Why are you trying to do this? > > Just use the Zw functions. > > > > Roger. > > > __________ Information from ESET Smart Security, version of virus signature > database 5012 (20100409) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com >
From: Jonathan de Boyne Pollard on 9 Apr 2010 21:43 > > > Consider the scenario where SSDT is modified by a malware and > important calls are hooked. I calculate original system routine > addresses from ntoskernl.exe. > In other words, you're doing the very same thing as the malware did, and in addition you are adding yet another Heath Robinson mechanism to the kernel that will complicate everyone's lives just that little bit further when they have to work out why your driver's behaviour differs from the behaviour of the rest of the system. You are not in the business of creating customer support nightmares for the world. Stop trying to. Call the documented APIs that are provided to you, in the ordinary way.
|
Next
|
Last
Pages: 1 2 3 4 Prev: "windows error recovery" tigger in Win7? Next: Problem with getting handle to a device |