Hi there,
I've been snooping into the internals of Win XP and have setup a win32sys SDT hook on the NtUserCreateWindowEx function.
I'd written sometime back to the list stating that the x,y,nWidth and nHeight parameters were showing values I couldn't understand - negative values et al. Since then I realized that this had to do with the fact that the parameter positions in the prototype I was using seemed to be in a different order (discovered a window.c file from this project on koders.com and was using this prototype). I think this could possibly be because maybe the ros team has been looking at a version of windows that isn't XP (possible??)..dunno
Anyways the parameter ordering I've deduced seems to be :
NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD dwShowMode,DWORD dwUnknown2)
This seems to be correct with regards the dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam arguments.
I'm still not able to verify the rest. My immediate concern though are the UnsafeClassName and UnsafeWindowName arguments.
I'm trying to print out these values...or test out what these values hold...but can't seem to get anywhere....don't even know for sure if these are UNICODE_STRING structure vals or LPCTSTR.
I'd like to be able to retrieve/interpret the ClassName and WindowName......any help would be appreciated.
Bye for now
Hello
no, we won't help you with your rootkit. Go ask somewhere else _______________________________________________
Well quite presumptous and surprising - please do not forget that reactos itself can be possibly looked down upon by some ppl (microsoft?)
Just to clarify I am trying to hook into the SDT therefore it could possibly qualify as a rootkit - but there are two sides to every coin or should I say rootkit :)....this is chiefly to understand Windows internals and see how far i can push things.
Anyways I'm sorry if I've offended the sentimentalities of the ppl on this list in any manner.
Bye for now
On Tuesday 21 Oct 2008, KJK::Hyperion wrote:
Jeetu Golani wrote:
I've been snooping into the internals of Win XP and have setup a win32sys SDT hook on the NtUserCreateWindowEx function.
no, we won't help you with your rootkit. Go ask somewhere else _______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
try LARGE_UNICODE_STRING http://www.reactos.org/wiki/index.php/Techwiki/win32k/LARGE_UNICODE_STRING That's what a WND stores internally.
Jeetu Golani schrieb:
Anyways the parameter ordering I've deduced seems to be :
NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD dwShowMode,DWORD dwUnknown2)
This seems to be correct with regards the dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam arguments.
I'm still not able to verify the rest. My immediate concern though are the UnsafeClassName and UnsafeWindowName arguments.
I'm trying to print out these values...or test out what these values hold...but can't seem to get anywhere....don't even know for sure if these are UNICODE_STRING structure vals or LPCTSTR.
Thank you sooooooo much Timo :)....
try LARGE_UNICODE_STRING
...dude you are the man :)....it worked - mostly. I was using UNICODE_STRING which has USHORT vals but the LARGE_UNICODE_STRUCT did the trick :)
I can now retrieve the values for the ClassName and the WindowName parameters however sometimes trying to dereference these pointers - even doing a DbgPrint("%u",ClassName->Length) will crash the entire system....the only bug check report is a STOP: 0x0000008E (0x000000C5... which means that the driver has touched a region it shouldn't have.
Certain apps throw this error for sure - for e.g. IE...or even going to Start-Run
Bye for now
On Tuesday 21 Oct 2008, Timo Kreuzer wrote:
try LARGE_UNICODE_STRING http://www.reactos.org/wiki/index.php/Techwiki/win32k/LARGE_UNICODE_STRING That's what a WND stores internally.
Jeetu Golani schrieb:
Anyways the parameter ordering I've deduced seems to be :
NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD dwShowMode,DWORD dwUnknown2)
This seems to be correct with regards the dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam arguments.
I'm still not able to verify the rest. My immediate concern though are the UnsafeClassName and UnsafeWindowName arguments.
I'm trying to print out these values...or test out what these values hold...but can't seem to get anywhere....don't even know for sure if these are UNICODE_STRING structure vals or LPCTSTR.
Jeetu Golani wrote:
I can now retrieve the values for the ClassName and the WindowName parameters however sometimes trying to dereference these pointers - even doing a DbgPrint("%u",ClassName->Length) will crash the entire system....
How I hate being right.
Please continue the discussion off list
How I hate being right.
Please continue the discussion off list
Sure....nope you are not right :)....bye for now
On Thursday 23 Oct 2008, KJK::Hyperion wrote:
Jeetu Golani wrote:
I can now retrieve the values for the ClassName and the WindowName parameters however sometimes trying to dereference these pointers - even doing a DbgPrint("%u",ClassName->Length) will crash the entire system....
How I hate being right.
Please continue the discussion off list _______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
-
Jeetu Golani -
KJK::Hyperion -
Timo Kreuzer