[pso] Parametrii apelurilor de sistem
Razvan Deaconescu
razvand at cs.pub.ro
Mon Mar 17 19:03:40 EET 2008
On Mon, 2008-03-17 at 03:47 -0700, Andy wrote:
> Am copiat exemplul din curs si am incercat interceptarea NtOpenFile.
> (am vazut ca pentru win 2k3 este 0x007a syscall-u - adica 122).
> Interceptarea e ok, intra in interceptor pe acest syscall. Problema
> apare atunci cand incerc sa deschid orice fisier, imi returneaza "The
> parameter is incorect". De aici trag concluzia ca in stiva noua nu
> sunt salvati si parametrii. Gresesc cu ceva?
In primul rand incearca sa fii mai grijuliu cand dai exemple de cod
relativ complete pe lista.
> NTSTATUS interceptor(){
> int syscall, params, syscall_table, syscall_index, r;
> void *old_stack, *new_stack;
>
> _asm mov syscall, eax
> syscall_table=syscall>>12;
> syscall_index=syscall&0x0000FFF;
> params=KeServiceDescriptorTable[syscall_table].spt[syscall_index];
> _asm mov old_stack, ebp
> _asm add old_stack, 8
> _asm sub esp, params
> _asm mov new_stack, esp
> memcpy(new_stack, old_stack, params);
> r=f();
> DbgPrint("%d: %d\n", syscall, r);
> }
What happened to 'return r'? Ce valoare are syscall si r in acel
DbgPrint?
Razvan
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the pso
mailing list