Hi schmidthouse,
See some comments on the code used starting from C : \ E n u m I n j e c t R e q u e s t c r a s h , C : \ S e s s i o n G o n e c r a s h, C : \ P r o c e s s G o n e c r a s h, C : \ D e s k t o p \ I o c t l c r a s h - accessibility identifiers to all the elements: pViewOfSection ZwCreateSection routine creates a section object. driver - ZwCreateFile ZwWriteFile - there is ExAllocatePoolXXX function set to allocate memory from the system pools and ExFreePool to release. ..... are zero terminated ->V ExFreePool _stricmp -declaration of _SYSTEM_PROCESSES structure ( System Information Class 5 ) with ZwQuerySystemInformation works fine for this purpose to construct process tree -> ZwQuerySystemInformation - write user mem from driver -PEPROCESS)process,&ApcStAte) write user memory from driver -KeStackAttachProcess -
this has a strange kernel-mode bug ->PsLookupProcessByProcessId -
POSIX functions are deprecated. Use the ISO C++ conformant _stricmp instead for wcsicmp - depending on an undocumented function as ZwQueryInformationProcess API available in NTDLL.dll -- ObfDereferenceObject decrements the given object's reference count and performs retention checks - KeUnstackDetachProcess detaches the current thread from the address space of a process and restores the previous attach state -- ObOpenObjectByPointer function opens an object referenced by a pointer and returns a handle to the object, this is minifiltering -- memmove moves block of memory- ZwQueryInformationToken - ZwAllocateVirtualMemory - ZwQueryInformationFile -
wcscat, function is deprecated because more secure versions are available - - KeInitializeMutex mutex on a struct for a kernel device driver -
should be tested with
https://www.reactos.org/archives/public/ros-diffs/2012-September/047083.html (source tfaber)- KeWaitForSingleObject, the thread calls KeWaitForSingleObject with a pointer to the timer object, which puts the thread into a wait state - KeReleaseMutex KeReleaseMutex routine releases a mutex object, and specifies whether the caller is to call one of the KeWaitXxx routines for certain wait reasons - _wcslwr depreceated used to cleanup the /lib directory- RtlCompareMemory routine compares two blocks of memory and returns thenumber of bytes that match-RtlUnwind will initiate an unwind of procedure call frames -ntoskrnl.exe is the OS kernel image, provides and segments kernel space, and manages services such as hardware virtualization, memory management, and process scheduling
. This is a short oversight, and possible weak points are set out in bold,
enjoy,
Damian
