Forum Replies Created
-
Posts
-
I suppose so.
Because ntldr is the one which loads ntoskrnl.exe.
that means ntldr has a PE parsing functionality and it does dyanamic linking of ntoskrnl and hal.dllAfter that phase it is the responsibility of code present in ntokrnl.exe to dynamically link the other drivers which are getting loaded.
For this ntoskrnl.exe itself should know its base address.Cheers
DeepakHi guys
I just Got WIn 2003 Server SP1 and got to know that there are changes in EPROCESS and ETHREAD strucutre due to SP1 changes…..
So i think there are no changes in EPROCESS and ETHREAD struct. in wind 2003 server and it’s R2 release….
Also wants from all of you to add to it
Kind Regards
Deepakthnx a ton buddy.
I think it will work for my case.
Is there any exported variable like “NtBuildNumber” which keeps the Version Number and CSD String.
Asking just out of curiosity.
Kind Regards
DeepakYou are absolutely correct serpent that this would work….
But Problems in my case are following—1.)I have to support for 2000, XP and 2003.
2.)I have to get the Full Image Path name of each process running in system (not just Current Process) .On XP and 2003 I don’t have to open the handle as I am directly getting the Address of SECTION_OBJECT. But on 2000 I have only SectionHandle and that handle is valid in the HANDLE_TABLE of corresponding process not in process in the context of which my driver is getting called.
I have integrated the machanism u mentioned in my code and it is working fine on XP and 2k3.I m able to read FullImagePathname of all the processes.
But on 2000 I have only SectionHandle and not the pointer to SectionObject.
To get it working I will have to search another process handle table and i think that would be very tedious task.So my only worry is with Win2000.
Also I don’t wanna use ZwQuerySystemInformation and ZwOpenProcess bcoz these API’s have got chances of being Hooked.
I think you got all my doubts.Kind Regards
Deepak GuptaBut How to enumerate Symbolic links
I guess you are talking about these mappingC:
DeviceHardDiskVolume1
D:
DeviceHardDiskVolume2 .But in Win2000 I don’t get anything like DeviceHardDiskVolume1 frm EPROCESS block.
Please correct me if i m wrong.
Kind Regards
Deepak GuptaHi Serpent,
What if I have to get the Full ImagePathName of other processes in the system.
On XP and 2003 I m able to get the Full ImagePathName from SeAuditInformationInfo struture of EPROCESS block.
But on 2000 there is no structure like that…
Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
I had one more query ,what does DEVICEMAP field in EPROCESS strucure signify…?
Does this strucure contains any information abt Drive mapping and all.
Please reply asap , As I m reaching deadline for my college project.Kind Regards
Deepak Gutpa
