Forum Replies Created
I suppose so.
Because ntldr is the one which loads ntoskrnl.exe.
that means ntldr has a PE parsing functionality and it does dyanamic linking of ntoskrnl and hal.dll
After that phase it is the responsibility of code present in ntokrnl.exe to dynamically link the other drivers which are getting loaded.
For this ntoskrnl.exe itself should know its base address.
DeepakNovember 5, 2008 at 12:07 pm in reply to: "MiniportInitialize" is called in context of which thread #6706
I found out that it is called in the context of upper protocol binding code.
DeepakJune 28, 2007 at 6:11 am in reply to: Differences b/w Server2003 Enter. and Server2003 Enter. R2 #6347
I just Got WIn 2003 Server SP1 and got to know that there are changes in EPROCESS and ETHREAD strucutre due to SP1 changes…..
So i think there are no changes in EPROCESS and ETHREAD struct. in wind 2003 server and it’s R2 release….
Also wants from all of you to add to it
DeepakJune 26, 2007 at 8:52 am in reply to: How to get Service Pack Number of OS from Kernel Mode #6345
thnx a ton buddy.
I think it will work for my case.
Is there any exported variable like “NtBuildNumber” which keeps the Version Number and CSD String.
Asking just out of curiosity.
DeepakJune 14, 2007 at 10:44 am in reply to: retrieving full process image path name in kernel mode #5885
You are absolutely correct serpent that this would work….
But Problems in my case are following—
1.)I have to support for 2000, XP and 2003.
2.)I have to get the Full Image Path name of each process running in system (not just Current Process) .
On XP and 2003 I don’t have to open the handle as I am directly getting the Address of SECTION_OBJECT. But on 2000 I have only SectionHandle and that handle is valid in the HANDLE_TABLE of corresponding process not in process in the context of which my driver is getting called.
I have integrated the machanism u mentioned in my code and it is working fine on XP and 2k3.I m able to read FullImagePathname of all the processes.
But on 2000 I have only SectionHandle and not the pointer to SectionObject.
To get it working I will have to search another process handle table and i think that would be very tedious task.
So my only worry is with Win2000.
Also I don’t wanna use ZwQuerySystemInformation and ZwOpenProcess bcoz these API’s have got chances of being Hooked.
I think you got all my doubts.
Deepak GuptaJune 14, 2007 at 5:08 am in reply to: retrieving full process image path name in kernel mode #5883
But How to enumerate Symbolic links
I guess you are talking about these mapping
But in Win2000 I don’t get anything like DeviceHardDiskVolume1 frm EPROCESS block.
Please correct me if i m wrong.
Deepak GuptaJune 12, 2007 at 12:12 pm in reply to: retrieving full process image path name in kernel mode #5881
What if I have to get the Full ImagePathName of other processes in the system.
On XP and 2003 I m able to get the Full ImagePathName from SeAuditInformationInfo struture of EPROCESS block.
But on 2000 there is no structure like that…
Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
I had one more query ,what does DEVICEMAP field in EPROCESS strucure signify…?
Does this strucure contains any information abt Drive mapping and all.
Please reply asap , As I m reaching deadline for my college project.