Hello, Many Zw* functions that work with files (such as ZwCreateFile) need to be called at PASSIVE_LEVEL with APCs enabled: http://msdn.microsoft.com/en-us/library/ff566424%28VS.85%29.aspx. This is because, internally, I/O operations are asynchronously and the completion of an operation is delivered through an APC (correct me if I'm wro...
Hi In the book "Rootkit Arsenal" page 84 (Chapter 3) mentions: ..., we can view the contents of the target machine's descriptor registers using the command with the 0x100 mask: kd> rM 0x100 and a paragraph below: Note that the same task can be accomplished by specifying the GDTR components explicitly: kd> r gdtr .... ...
Is there anyway to do "insmod" and "rmmod" from C/C++ code? Other than running system(...), is there a Kernel API that will allow me to do this? ...
Now I know that developing an app that goes into kernel space should be avoided - its hard to debug, complex etc.... with that off the table what are some advantages to moving an app from user space to the kernel? after all if there were no plus sides it would never be done...what are some? ...
I will use the Linux NTFS driver as an example. The Linux kernel NTFS driver only has very limited write support in the kernel, and after 5 years it is still considered experimental. The same development team creates the ntfsmount userspace driver, which has almost perfect write support. Likewise, the NTFS-3G project which is written ...
In ARM linux, the user-kernel virtual address range is divided in the ratio 3:1. But in MIPS linux, this is usually 2:2 Does someone know what motivates this design difference ? I have a faint idea that this has something to do with the fact that in MIPS, the TLB refill is managed in s/w and the kernel TLB entries are kind of hard...
Hi, how do most of antivirus software block file system io in case of an infected file? I suppose all the magic resides in some custom kext to do that. Can anyone point me to some topics on this? Some working example would also be great. I've read apple docs about kext development, but mostly it's all about hardware drivers and i could n...
Hi, I successfully called the exit syscall from assembly but I'm strugling to call the _getpid syscall and use it's return value. Here is the code I'm using .text .globl _getpiddirect _getpiddirect: pushl %ebp movl %esp, %ebp subl $8, %esp movl $39, %eax int $0x80 addl $8, %esp popl %ebp ret and #inc...
I have a linux kernel module that needs to find the speed of a given network interface (i.e. "eth0"). For linux 2.6.31 how would I find the speed (configured/negotiated)? ...
Is there a way to trace through function calls at the lowest levels of the Android system? Right now when I debug in Eclipse, it goes through the source files that are located inside the frameworks folder, but is it possible to go even lower? For example show what functions are being called from the libcore folder. I am also interested t...
I want to know what is the standard way for writing a -simple- kernel to be compiled on NASM? To get it clearer: I was able to define the code block with all the following ways: [segment code] [segment .code] segment code segment .code [section code] [section .code] section code section .code I need to know what is the standard way ...
Hello, in many cases callbacks registered by a mini-filter (pre/post operations) are called at PASSIVE_LEVEL. In case the pre-callback decides that it needs to do some work after the completion of some operation, it will ask the filter-manager to call the post-callback for that operation. The documentation states that if the pre-callba...
It used to be the case that if you needed to make a system call directly in linux without the use of an existing library, you could just include <linux/unistd.h> and it would define a macro similar to this: #define _syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \ type name(type1 arg1,type2 arg2,type3 arg3) \ { \ long __res; \ __a...
The Linux kernel is non-preemptive, but I just read that there could be context-switches in different control paths. Doesn't that contradict the non-preemptive nature on the Linux kernel? ...
Hi All, I wrote a kernel module and a user that opens it with O_RDWR mode, in the module_permission's func i get int op parameter , and would like to know if its value is the same as O_RDWR or maybe the system call open changes it to another known value , and if so where can i find it.. thanks a lot.. ...
I'm working on a kernel module and I'm trying to uniquely identify each one of the users trying to open() the module (can be either processes or threads). What is the best way to identify them? Is there an ID I can get from a system call? I wish to get all users in a list that specifies whether they're trying to open the module for rea...
Hi, I want to install kernel package by this command sudo apt-get install kernel-package but it gives me the error : Package kernel-package has no installation candidate How can I solve this??? P.S: I am use ubuntu 2.6 ...
I am gathering small information regarding kernel dll functions.. and I found this function called CopyLZFileName/CreateLZFileName and some other functions related to this LZ.. I googled for it.. I cant find a proper source for it. From the name I guess it copies/creates file but am not sure what kind of file.. does LZ mean something to ...
I am doing a small analysis in file functions in kernel dll..I noticed this funtion called DosPathToSessionPath..i googled for it..there is no much documentation about this.Can anybody tell me what is the use of this fucntion? ...
Hi, in spite of having so many efficient data structures, why is only linked list used so heavily in systems programming? Is it because it allows least usage of heap/less buggy code? Regards, Pwn ...