21 Oct
2008
21 Oct
'08
10:39 a.m.
Hi there,
I've been snooping into the internals of Win XP and have setup a win32sys SDT
hook on the NtUserCreateWindowEx function.
I'd written sometime back to the list stating that the x,y,nWidth and nHeight
parameters were showing values I couldn't understand - negative values et al.
Since then I realized that this had to do with the fact that the parameter
positions in the prototype I was using seemed to be in a different order
(discovered a window.c file from this project on koders.com and was using
this prototype). I think this could possibly be because maybe the ros team
has been looking at a version of windows that isn't XP (possible??)..dunno
Anyways the parameter ordering I've deduced seems to be :
NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING
UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD
dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND
hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD
dwShowMode,DWORD dwUnknown2)
This seems to be correct with regards the
dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam
arguments.
I'm still not able to verify the rest. My immediate concern though are the
UnsafeClassName and UnsafeWindowName arguments.
I'm trying to print out these values...or test out what these values
hold...but can't seem to get anywhere....don't even know for sure if these
are UNICODE_STRING structure vals or LPCTSTR.
I'd like to be able to retrieve/interpret the ClassName and
WindowName......any help would be appreciated.
Bye for now
12:28 p.m.
Hello
no, we won't help you with your rootkit. Go ask somewhere else
_______________________________________________
Well quite presumptous and surprising - please do not forget that reactos
itself can be possibly looked down upon by some ppl (microsoft?)
Just to clarify I am trying to hook into the SDT therefore it could possibly
qualify as a rootkit - but there are two sides to every coin or should I say
rootkit :)....this is chiefly to understand Windows internals and see how far
i can push things.
Anyways I'm sorry if I've offended the sentimentalities of the ppl on this
list in any manner.
Bye for now
On Tuesday 21 Oct 2008, KJK::Hyperion wrote:
> Jeetu Golani wrote:
> > I've been snooping into the internals of Win XP and have setup a win32sys
> > SDT hook on the NtUserCreateWindowEx function.
no, we won't help you with your rootkit. Go ask somewhere else
_______________________________________________
> Ros-dev mailing list
> Ros-dev(a)reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
2:47 p.m.
try LARGE_UNICODE_STRING
http://www.reactos.org/wiki/index.php/Techwiki/win32k/LARGE_UNICODE_STRING
That's what a WND stores internally.
Jeetu Golani schrieb:
Anyways the parameter ordering I've deduced seems
to be :
NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING
UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD
dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND
hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD
dwShowMode,DWORD dwUnknown2)
This seems to be correct with regards the
dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam
arguments.
I'm still not able to verify the rest. My immediate concern though are the
UnsafeClassName and UnsafeWindowName arguments.
I'm trying to print out these values...or test out what these values
hold...but can't seem to get anywhere....don't even know for sure if these
are UNICODE_STRING structure vals or LPCTSTR.
22 Oct
22 Oct
7:54 p.m.
Thank you sooooooo much Timo :)....
try LARGE_UNICODE_STRING
...dude you are the man :)....it worked - mostly. I was using UNICODE_STRING
which has USHORT vals but the LARGE_UNICODE_STRUCT did the trick :)
I can now retrieve the values for the ClassName and the WindowName parameters
however sometimes trying to dereference these pointers - even doing a
DbgPrint("%u",ClassName->Length) will crash the entire system....the only bug
check report is a STOP: 0x0000008E (0x000000C5... which means that the driver
has touched a region it shouldn't have.
Certain apps throw this error for sure - for e.g. IE...or even going to
Start-Run
Bye for now
On Tuesday 21 Oct 2008, Timo Kreuzer wrote:
try LARGE_UNICODE_STRING
>
http://www.reactos.org/wiki/index.php/Techwiki/win32k/LARGE_UNICODE_STRING
> That's what a WND stores internally.
>
> Jeetu Golani schrieb:
> > Anyways the parameter ordering I've deduced seems to be :
> >
> > NtUserCreateWindowEx(DWORD dwExStyle,PUNICODE_STRING
> > UnsafeClassName,PUNICODE_STRING UnsafeWindowName,DWORD dwUnknown1,DWORD
> > dwStyle,LONG x, LONG y,LONG nWidth, LONG nHeight,HWND
> > hWndParent,HMENU,hMenu,HINSTANCE hInstance,LPVOID lpParam,DWORD
> > dwShowMode,DWORD dwUnknown2)
> >
> > This seems to be correct with regards the
> > dwExStyle,dwStyle,x,y,nWidth,nHeight,hWndParent.hMenu,hInstance,lpParam
> > arguments.
> >
> > I'm still not able to verify the rest. My immediate concern though are
> > the UnsafeClassName and UnsafeWindowName arguments.
> >
> > I'm trying to print out these values...or test out what these values
> > hold...but can't seem to get anywhere....don't even know for sure if
> > these are UNICODE_STRING structure vals or LPCTSTR.
8:01 p.m.
Jeetu Golani wrote:
I can now retrieve the values for the ClassName and
the WindowName parameters
however sometimes trying to dereference these pointers - even doing a
DbgPrint("%u",ClassName->Length) will crash the entire system....
How I hate being right.
Please continue the discussion off list
23 Oct
23 Oct
12:37 a.m.
How I hate being right.
Please continue the discussion off list
Sure....nope you are not right :)....bye for now
On Thursday 23 Oct 2008, KJK::Hyperion wrote:
> Jeetu Golani wrote:
> > I can now retrieve the values for the ClassName and the WindowName
> > parameters however sometimes trying to dereference these pointers - even
> > doing a DbgPrint("%u",ClassName->Length) will crash the entire
system....
>
How I hate being right.
Please continue the discussion off list
>
_______________________________________________
> Ros-dev mailing list
> Ros-dev(a)reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
5819
days inactive
5821
days old
6 comments
3 participants
participants (3)
-
Jeetu Golani -
KJK::Hyperion -
Timo Kreuzer