Just a quick easy question for the experienced, hopefully.
Which SuspendThread should I be calling in a driver?
Im thinking it should be the Zw.
And when i link in ntdll.lib the driver becomes corrupt.
Is ntdll.lib not supposed to be linked in for drivers?? If not, how am I suppose to call either of these from Driver.
Any help would be greatly appreciated.
packetvb
Which SuspendThread should I be calling in a driver?
Im thinking it should be the Zw.
And when i link in ntdll.lib the driver becomes corrupt.
Is ntdll.lib not supposed to be linked in for drivers?? If not, how am I suppose to call either of these from Driver.
Any help would be greatly appreciated.
packetvb
Is ntdll.lib not supposed to be linked in for drivers??
Exactly! Ntdll runs in ring-3 (user-mode).
Drivers don't need to use ntdll, they have the own kernel (ntoskrnl.exe)
Regards,
Opcode
Unfortunately, ZwSuspendThread is not exported by ntoskrnl.
For each ntdll!ZwXXX function there are the NtXXX inside the ntoskrnl.
But you can find NtSuspendThread by looking inside the
Servide Descriptor Table, exported by the ntoskrnl as
KeServiceDescriptorTable.
Take a look in the Mark Russinovich article:
http://www.sysinternals.com/ntw2k/info/ntdll.shtml
Regards,
Opcode
For each ntdll!ZwXXX function there are the NtXXX inside the ntoskrnl.
But you can find NtSuspendThread by looking inside the
Servide Descriptor Table, exported by the ntoskrnl as
KeServiceDescriptorTable.
Take a look in the Mark Russinovich article:
http://www.sysinternals.com/ntw2k/info/ntdll.shtml
Regards,
Opcode
Opcode,
Thanks for the information.
so I would basically get the Native ID of NtSuspendThread and call it from the driver?
Also another question.
Im trying to Suspend all processes on startup to do some checks on the executable. Which is a better way. Use PsCreateNotifyRoutine and determine the main thread and then suspend it. Or just hook the NtCreateProcess instead of relying on the notify routine. Im worried that I wont be able to Suspend the process quick enough using PsCreateNotifyRoutine. Then on the other hand im worried that an service pack would change the "signature" of the Native API's.
I hope this made sense.
Thank for your time.
packetvb
Thanks for the information.
so I would basically get the Native ID of NtSuspendThread and call it from the driver?
Also another question.
Im trying to Suspend all processes on startup to do some checks on the executable. Which is a better way. Use PsCreateNotifyRoutine and determine the main thread and then suspend it. Or just hook the NtCreateProcess instead of relying on the notify routine. Im worried that I wont be able to Suspend the process quick enough using PsCreateNotifyRoutine. Then on the other hand im worried that an service pack would change the "signature" of the Native API's.
I hope this made sense.
Thank for your time.
packetvb
so I would basically get the Native ID of NtSuspendThread and call it from the driver?
Yes, but make sure that you have understood the structure of the SDT.
Which is a better way
Avoid hooks, use PsCreateNotifiyRoutine.
im worried that an service pack would change the "signature" of the Native API's
Don?t worry. You always will be able to find the function. 8)
Regards,
Opcode
Opcode
undstood. Thanks for your help.
undstood. Thanks for your help.