dkg0414

Forum Replies Created

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • in reply to: Address of loading ntoskrnl.exe [rus] #6271

    dkg0414
    Participant

    I suppose so.

    Because ntldr is the one which loads ntoskrnl.exe.
    that means ntldr has a PE parsing functionality and it does dyanamic linking of ntoskrnl and hal.dll

    After that phase it is the responsibility of code present in ntokrnl.exe to dynamically link the other drivers which are getting loaded.
    For this ntoskrnl.exe itself should know its base address.

    Cheers
    Deepak

    in reply to: "MiniportInitialize" is called in context of which thread #6706

    dkg0414
    Participant

    I found out that it is called in the context of upper protocol binding code.

    Cheers
    Deepak


    dkg0414
    Participant

    Hi guys

    I just Got WIn 2003 Server SP1 and got to know that there are changes in EPROCESS and ETHREAD strucutre due to SP1 changes…..

    So i think there are no changes in EPROCESS and ETHREAD struct. in wind 2003 server and it’s R2 release….

    Also wants from all of you to add to it

    Kind Regards
    Deepak

    in reply to: How to get Service Pack Number of OS from Kernel Mode #6345

    dkg0414
    Participant

    thnx a ton buddy.

    I think it will work for my case.

    Is there any exported variable like “NtBuildNumber” which keeps the Version Number and CSD String.

    Asking just out of curiosity.

    Kind Regards
    Deepak

    in reply to: retrieving full process image path name in kernel mode #5885

    dkg0414
    Participant

    You are absolutely correct serpent that this would work….
    But Problems in my case are following—

    1.)I have to support for 2000, XP and 2003.
    2.)I have to get the Full Image Path name of each process running in system (not just Current Process) .

    On XP and 2003 I don’t have to open the handle as I am directly getting the Address of SECTION_OBJECT. But on 2000 I have only SectionHandle and that handle is valid in the HANDLE_TABLE of corresponding process not in process in the context of which my driver is getting called.

    I have integrated the machanism u mentioned in my code and it is working fine on XP and 2k3.I m able to read FullImagePathname of all the processes.

    But on 2000 I have only SectionHandle and not the pointer to SectionObject.
    To get it working I will have to search another process handle table and i think that would be very tedious task.

    So my only worry is with Win2000.

    Also I don’t wanna use ZwQuerySystemInformation and ZwOpenProcess bcoz these API’s have got chances of being Hooked.
    I think you got all my doubts.

    Kind Regards
    Deepak Gupta

    in reply to: retrieving full process image path name in kernel mode #5883

    dkg0414
    Participant

    But How to enumerate Symbolic links
    I guess you are talking about these mapping

    C:


    DeviceHardDiskVolume1
    D:


    DeviceHardDiskVolume2 .

    But in Win2000 I don’t get anything like DeviceHardDiskVolume1 frm EPROCESS block.

    Please correct me if i m wrong.

    Kind Regards
    Deepak Gupta

    in reply to: retrieving full process image path name in kernel mode #5881

    dkg0414
    Participant

    Hi Serpent,

    What if I have to get the Full ImagePathName of other processes in the system.
    On XP and 2003 I m able to get the Full ImagePathName from SeAuditInformationInfo struture of EPROCESS block.
    But on 2000 there is no structure like that…
    Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
    I had one more query ,what does DEVICEMAP field in EPROCESS strucure signify…?
    Does this strucure contains any information abt Drive mapping and all.
    Please reply asap , As I m reaching deadline for my college project.

    Kind Regards
    Deepak Gutpa

Viewing 7 posts - 1 through 7 (of 7 total)