From: stas [stas@powernetsys.com] Sent: Sunday, April 29, 2001 5:11 AM To: NT Developers Interest List Subject: [ntdev] Re: Very early module load Hi All, Can someone post a sample of patching the ntoskrnl.exe with the custom code? I recall seeing it somewhere, it had to do with reading the exe header or something, but I'm not sure. Thanx, Stas, Powernet. -----Original Message----- From: bounce-ntdev-4656@lists.osr.com [mailto:bounce-ntdev-4656@lists.osr.com]On Behalf Of Dan Partelly Sent: Saturday, April 28, 2001 12:27 AM To: NT Developers Interest List Subject: [ntdev] Re: Very early module load Yes , thx a lot. Good idea. ----- Original Message ----- From: "Vodicka, Michal" To: "NT Developers Interest List" Sent: Saturday, April 28, 2001 12:16 AM Subject: [ntdev] Re: Very early module load > Similar idea without patching: rename ntoskrnl.exe and create a thin wrapper > named ntoskrnl.exe with the same export table. All exports would call > original functions in renamed ntoskrnl. Such a wrapper can be generated > during your software install (we used this way when needed to hook some OS > code). Wrapper would call your code when necessary. You can even avoid > renaming and use /kernel= boot.ini option to load the wrapper. > > Best regards, > > Michal Vodicka > Veridicom > (RKK - Skytale) > [WWW: http://www.veridicom.com , http://www.skytale.com] > > > > > ---------- > > From: Dan Partelly[SMTP:danp@jb.rdsor.ro] > > Reply To: NT Developers Interest List > > Sent: Friday, April 27, 2001 7:41 PM > > To: NT Developers Interest List > > Subject: [ntdev] Re: Very early module load > > > > Thank you very much for you ideea , I apreciate it , but as I said --- > > patching is not an option. > > > > ----- Original Message ----- > > From: Satish > > To: NT Developers Interest List > > Sent: Friday, April 27, 2001 3:04 PM > > Subject: [ntdev] Re: Very early module load > > > > Ur code no need to change for every build. Just Get the entry point > > by reading the header of PE and patch ur code. The only condition is u > > have to patch System File. > > > > Regards, > > Satish K.S > > > > > > -----Original Message----- > > From: bounce-ntdev-5072@lists.osr.com [ > > mailto:bounce-ntdev-5072@lists.osr.com]On Behalf Of danp > > Sent: Friday, April 27, 2001 5:20 AM > > To: NT Developers Interest List > > Subject: [ntdev] Re: Very early module load > > > > > > It is not an option. First , permanently patching a > > OS system file is unprofesional. Second , I need my code fully relocatable > > and to export an API trough standard PE export mechanism. > > Third , II dont really wana adapt my code to every > > new build of ntoskrnl. > > > > ----- Original Message ----- > > From: Satish > > To: NT Developers Interest List > > Sent: Friday, April 27, 2001 11:51 AM > > Subject: [ntdev] Re: Very early module load > > > > Patch ur code into PE file. Then Update PE-File > > Entry point in Header to point to ur Code. U will get control first then > > return to original code. > > > > Regards, > > Satish K.S > > > > ----- Original Message ----- > > From: danp > > To: NT Developers Interest List > > Sent: Friday, April 27, 2001 1:56 PM > > Subject: [ntdev] Very early module load > > > > > > Hi ppl > > > > Im looking to insert a PE module into system address > > space before any other OS modules , and execute it's entry point. The main > > requirment is that the entry point of my module is executed before > > NtMain() from ntoskrnl. Any ideeas are apreciated. > > > > > > Best regards , Dan > > > > > > --- > > You are currently subscribed to ntdev as: > > kssatish@aalayance.com > > To unsubscribe send a blank email to > > leave-ntdev-247T@lists.osr.com > > > > --- > > You are currently subscribed to ntdev as: > > danp@jb.rdsor.ro > > To unsubscribe send a blank email to > > leave-ntdev-247T@lists.osr.com > > > > --- > > You are currently subscribed to ntdev as: > > mroddy@tellink.net > > To unsubscribe send a blank email to > > leave-ntdev-247T@lists.osr.com > > > > --- > > You are currently subscribed to ntdev as: > > kssatish@aalayance.com > > To unsubscribe send a blank email to > > leave-ntdev-247T@lists.osr.com > > > > --- > > You are currently subscribed to ntdev as: danp@jb.rdsor.ro > > To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com > > > > --- > > You are currently subscribed to ntdev as: MVodicka@rkk.cz > > To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com > > > > --- > You are currently subscribed to ntdev as: danp@jb.rdsor.ro > To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com > --- You are currently subscribed to ntdev as: Stas@powernetsys.com To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com --- You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com