From: Jeremy Kercheval [jkercheval@expressmetrix.com]
Sent: Thursday, November 15, 2001 8:10 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc
ript orTable

We are doing a bit more than just monitoring the process starting, the
app can be configured to stop launches of selected processes.

There is very little kernel programming overall, so we have been trying
other resources (this list for one) to figure out the differences and
fix the driver.  We will eventually move to other methods of control I
think... My real concern is that we will have to "fix" this driver every
time MS makes a change, though this is the first problem with the driver
(and client app) in several versions, so it my not be a large concern.

We just may have someone else look at it, but once I get started on
something I like to figure it out for myself, so I keep banging away at
it... How else can I learn these things :)

Jeremy

-----Original Message-----
From: bounce-ntdev-6996@lists.osr.com
[mailto:bounce-ntdev-6996@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Thursday, November 15, 2001 4:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc
ript orTable


Jeremy,

if you want only monitor process creation, already recommended
PsSetCreateProcessNotifyRoutine is a good choice. It is documented (see
http://www.osr.com/ddk/k108_5lwy.htm), relatively easy to use and works
on both w2k and XP (probably also on NT4) and no undocumented hacks are
necessary. Also, you are informed about process exits. However, you
can't influence process creation, for example you can't stop an evil
process from running.

As for buy SoftICE, it is a good idea if you want to do more kernel
programming in the future. If this problem is only kernel problem which
you need to solve, it would be probably cheaper and much faster to pay
somebody who would solve it for you (no, it isn't blatant advertisment,
my working agreement explicitly disallows it :). Maybe you already
received some offers.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o. [michal.vodicka@st.com,
http:://www.st.com]

> ----------
> From: jkercheval@expressmetrix.com[SMTP:jkercheval@expressmetrix.com]
> Reply To: 	ntdev@lists.osr.com
> Sent: 	Thursday, November 15, 2001 4:09 AM
> To: 	ntdev@lists.osr.com
> Subject: 	[ntdev] RE: Kernel mode device driver problem -
> KeServiceDesc     ript     orTable
> 
> Michal,
> Someone else did originally write the code, and I am now the poor 
> engineer that has to fix it.  Unfortunately the person/people that 
> wrote the code originally are now with a different company.  I 
> appreciate the time you have taken already to help - very much.
> 
> The software hooks the CreateProcess call by replacing the address in 
> the service table with a our own function (in a kernel mode driver), 
> which monitors process creation and passes the data along to the 
> original function.
> 
> Thanks again for your help - I guess it's time to buy softice.
> 
> -Jeremy
> 
> 
> -----Original Message-----
> From: bounce-ntdev-6996@lists.osr.com 
> [mailto:bounce-ntdev-6996@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Wednesday, November 14, 2001 5:50 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: Kernel mode device driver problem - KeServiceDesc

> ript orTable
> 
> 
> Jeremy,
> 
> I'm sorry to say it but if you want to change service table, you 
> should have a lot of experience with the kernel and exactly know what 
> you're doing. Otherwise it is really easy to crash system.
> 
> I presume GetThunkCode() wrote somebody else. If I understand it 
> correctly, it tries to verify if ntdll code to enter kernel is exactly

> what it expects and if so, extracts necessary info. XP code was 
> changed and verification detects it. What you need is to change 
> _NTFUNC_BLOCK and verification appropriate way. Below you can see XP 
> code; the first collumns are addresses (ignore it), the second real 
> code as is in memory and next are appropriate assembly instructions. 
> From code it should be possible to see how to change verification 
> routine. You can compare it with code from NT4/w2k, you need a 
> debugger or disassembler to see it. I'm sorry, currenty I don't have 
> time to give you something better now, maybe tomorrow or maybe 
> somebody else will in the meantime.
> 
> Just curious: what is the purpose of your code and who wrote original 
> code which works on NT/w2k? S/he should be able to improve it for XP.
> 
> Best regards,
> 
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o. 
> [michal.vodicka@st.com, http:://www.st.com]
> 
> > ----------
> > From:
jkercheval@expressmetrix.com[SMTP:jkercheval@expressmetrix.com]
> > Reply To: 	ntdev@lists.osr.com
> > Sent: 	Thursday, November 15, 2001 2:07 AM
> > To: 	ntdev@lists.osr.com
> > Subject: 	[ntdev] RE: Kernel mode device driver problem -
> > KeServiceDescript     orTable
> > 
> > Michal,
> > Thanks for the response, unfortunately I don't entirely understand
> > what you have given me here.  I'm not trying to be stupid, but I
don't
> 
> > have a lot of experience with the kernel. Is the first section how 
> > NT
> > used to enter the kernel, and the second part the new way?  I'm not 
> > sure how I would change my GetThunkCode based on the below 
> > information.
> > 
> > Jeremy
> > 
> > -----Original Message-----
> > From: bounce-ntdev-6996@lists.osr.com
> > [mailto:bounce-ntdev-6996@lists.osr.com] On Behalf Of Michal Vodicka
> > Sent: Wednesday, November 14, 2001 3:58 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: Kernel mode device driver problem - 
> > KeServiceDescript orTable
> > 
> > 
> > Yes, XP changed the way to enter kernel:
> > 
> > :u ZwCreateProcess
> > _NtCreateProcess
> > 001B:77F7E6A3  B82F000000          MOV       EAX,0000002F
> > 001B:77F7E6A8  BA0003FE7F          MOV       EDX,7FFE0300
> > 001B:77F7E6AD  FFD2                CALL      EDX
> > 001B:77F7E6AF  C22000              RET       0020
> > 
> > :u 7FFE0300
> > 001B:7FFE0300  8BD4                MOV       EDX,ESP
> > 001B:7FFE0302  0F34                SYSENTER
> > 001B:7FFE0304  C3                  RET
> > 
> > Just change your GetThunkCode a bit and check OS to see what version
> > to use.
> > 
> > As for driver crash; if you're doing such a change, you should see 
> > why
> 
> > it crashes. If memory protection causes it, examine and try to 
> > change
> > WP bit in CR0.
> > 
> > Best regards,
> > 
> > Michal Vodicka
> > STMicroelectronics Design and Application s.r.o.
> > [michal.vodicka@st.com, http:://www.st.com]
> > 
> > > ----------
> > > From:
> jkercheval@expressmetrix.com[SMTP:jkercheval@expressmetrix.com]
> > > Reply To: 	ntdev@lists.osr.com
> > > Sent: 	Wednesday, November 14, 2001 10:14 PM
> > > To: 	ntdev@lists.osr.com
> > > Subject: 	[ntdev] Kernel mode device driver problem -
> > > KeServiceDescriptorTable
> > > 
> > > I have an app and driver that works on NT4 through Windows 2000 
> > > SP2 that fails on Windows XP.  In user mode we would call 
> > > GetProcAddress
> 
> > > as
> > > follows:
> > > 
> > > BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG 
> > > ntParams); HMODULE hNtDll; FARPROC pFunc;
> > > 
> > > ----	
> > > if (hNtDll = LoadLibrary("NTDLL.DLL"))
> > > {
> > > 	if ((pFunc = GetProcAddress(hNtDll,"ZwCreateProcess")) == NULL
> > > || 
> > > 	
> > > !GetThunkCode(pFunc,&pInitBlock->CreateProcessHookBlock.NTCode, 
> > > 		&pInitBlock->CreateProcessHookBlock.ParamCount))
> > > 	{
> > > 		FreeLibrary(hNtDll);
> > > 		return 0;
> > > 	}
> > > }
> > > ----
> > > This would get the address of the function in ntdll, we would then

> > > extract the service id and number of bytes required for the
> parameters
> > 
> > > using the below function:
> > > ---
> > > static BOOL GetThunkCode(FARPROC funcPtr, PULONG ntCode, PULONG
> > > ntParams)
> > > {
> > > #pragma pack(1)
> > > 	typedef struct _NTFUNC_BLOCK
> > > 	{
> > > 		UCHAR	moveeax;
> > > 		ULONG	thunkCode;
> > > 		UCHAR	stuff[4];
> > > 		UCHAR	insint;
> > > 		UCHAR	vector;
> > > 		UCHAR	insret;
> > > 		USHORT	params;
> > > 	}
> > > 	* PNTFUNC_BLOCK;
> > > 	PNTFUNC_BLOCK	pNtFunc;
> > > #pragma pack()
> > > 
> > > 	pNtFunc = (PNTFUNC_BLOCK) funcPtr;
> > > 	if (pNtFunc->moveeax != 0xb8)
> > > 		return FALSE;
> > > 	if (pNtFunc->insint != 0xcd)
> > > 		return FALSE;
> > > 	if (pNtFunc->vector != 0x2e)
> > > 		return FALSE;
> > > 	if (pNtFunc->insret != 0xc2)
> > > 		return FALSE;
> > > 	*ntCode = pNtFunc->thunkCode;
> > > 	*ntParams = pNtFunc->params/sizeof(ULONG);
> > > 	return TRUE;
> > > }
> > > ---
> > > 
> > > The problem is that the function no longer returns the information
> > > the
> > 
> > > same way that it used to.  We would then pass this information 
> > > (thunkCode and number of params) to the driver which would hook 
> > > into
> 
> > > the KeServiceDescriptorTable replacing the real CreateProcess
> function
> > 
> > > with our own.
> > > 
> > > Also, when I try to write to the KeServiceDescriptorTable at any 
> > > serviceID, the driver immediately crashes.  Did XP change the 
> > > memory
> 
> > > protection of the KeServiceDescriptorTable?
> > > 
> > > In short, the address that we get back from GetProcAddress no 
> > > longer has the same format - does anyone know the new format?  If 
> > > I can
> find
> > > the correct ServiceID for the KeServiceDescriptorTable, can I 
> > > still
> > > replace the old address with a new one, or is it protected memory
> now?
> > > 
> > > Thanks,
> > > Jeremy
> > > 
> > > 
> > > ---
> > > You are currently subscribed to ntdev as: michal.vodicka@st.com To

> > > unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> > > 
> > 
> > ---
> > You are currently subscribed to ntdev as: 
> > jkercheval@expressmetrix.com
> 
> > To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> > 
> > 
> > ---
> > You are currently subscribed to ntdev as: michal.vodicka@st.com To
> > unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> > 
> 
> ---
> You are currently subscribed to ntdev as: jkercheval@expressmetrix.com

> To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> 
> 
> ---
> You are currently subscribed to ntdev as: michal.vodicka@st.com To 
> unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com
> 

---
You are currently subscribed to ntdev as: jkercheval@expressmetrix.com
To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com


---
You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com
To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com