[pso] Parametrii apelurilor de sistem

Razvan Deaconescu razvand at cs.pub.ro
Mon Mar 17 19:03:40 EET 2008

On Mon, 2008-03-17 at 03:47 -0700, Andy wrote:
> Am copiat exemplul din curs si am incercat interceptarea NtOpenFile.
> (am vazut ca pentru win 2k3 este  0x007a syscall-u - adica 122). 
> Interceptarea e ok, intra in interceptor pe acest syscall. Problema
> apare atunci cand incerc sa deschid orice fisier, imi returneaza "The
> parameter is incorect". De aici trag concluzia ca in stiva noua nu
> sunt salvati si parametrii. Gresesc cu ceva?

In primul rand incearca sa fii mai grijuliu cand dai exemple de cod
relativ complete pe lista.

> NTSTATUS interceptor(){
>     int syscall, params, syscall_table, syscall_index, r;
>     void *old_stack, *new_stack;
>     _asm mov syscall, eax
>     syscall_table=syscall>>12;
>     syscall_index=syscall&0x0000FFF;
>     params=KeServiceDescriptorTable[syscall_table].spt[syscall_index];
>     _asm mov old_stack, ebp
>     _asm add old_stack, 8
>     _asm sub esp, params
>     _asm mov new_stack, esp
>     memcpy(new_stack, old_stack, params);
>     r=f();
>     DbgPrint("%d: %d\n", syscall, r);
> }

What happened to 'return r'? Ce valoare are syscall si r in acel


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the pso mailing list