Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 3  
20 Apr 17 08:27
Matthew Nunes
xxxxxx@hotmail.com
Join Date: 20 Apr 2017
Posts To This List: 6
Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

This is quite a difficult problem to explain online, but I can't figure out what's going on and I really need help, so here goes! Basically, I have written a security software (as a kernel driver) that will eventually hook every method in the SSDT (System Service Descriptor Table) for Windows XP - 32 bit. Everytime a system call is made, I log it in a file. My issue arose when I hooked ZwOpenFile because that is a system call that MY code also makes to open the log file to write to it. So I got a Kernel stack overflow error because something would call ZwOpenFile, then I would try log it, and my logger (which is part of my driver) would then call ZwOpenFile which would then call ZwOpenFile (to log my logger) and so on and so forth until I had filled up the Stack enough to cause a blue screen of death. In order to get around this, I decided, that everytime the logger function is called, it will also be supplied with a pointer to the old, unhooked, ZwOpenFile function so it could call that directly rather than go through my hooked function and create a recursive mess. However, when the logger calls the ZwOpenFile function pointer that it is supplied with as a parameter, it gets a STATUS_INVALID_PARAMETER error. If the ZwOpenFile is called directly (as opposed to through the pointer) it works perfectly! But when the pointer to what should be the same function with the SAME parameters is called, it throws the STATUS_INVALID_PARAMETER error code! However, the pointer must be pointing to the correct function as otherwise it wouldn't throw this Windows error message. Here's small and (hopefully) digestible snippets of my code to make more sense: *mydriver.h* #define UNICODE #define _UNICODE #include <ntddk.h> #include <ntstrsafe.h> #define OPEN_FILE_INDEX 0x74 NTSTATUS newZwOpenFile( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); typedef NTSTATUS (*ZwOpenFilePtr)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); *mydriver.c* #include "mydriver.h" #include "filehandling.c" //global definition of pointer at top of mydriver.c file ZwOpenFilePtr oldZwOpenFile; NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ ... ... //hooks the SSDT using the index of ZwOpenFile in the SSDT oldZwOpenFile = (ZwOpenFilePtr)hookSSDTWithIndex(OPEN_FILE_INDEX, (BYTE*)newZwOpenFile, (DWORD*)systemCallTable); ... ... } //inside the method body of every hooked function, there is, at some point, the a call to the logger. //This is shown in the context of newZwOpenFile NTSTATUS newZwOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions){ ... driverWriteFile(&uFullString, &uProcess, *oldZwOpenFile); ... } *filehandling.c* #include <ntstrsafe.h> //the logger file //the function doing the opening and writing NTSTATUS driverWriteFile(PUNICODE_STRING stringToLog, PUNICODE_STRING filename, NTSTATUS (*fileOpenFunction)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,ULONG ,ULONG)) { ... //the failing call that returns c000000d ntstatus = fileOpenFunction(&handle, FILE_APPEND_DATA, &objAttr, &ioStatusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT); ... } What's more is, that, all the hooked functions are spewing out the c000000d error (using DbgPrint), but once or twice, it does somehow succeed... Any help or suggestions would be HUGELY appreciated!
  Message 2 of 3  
20 Apr 17 11:10
Peter Scott
xxxxxx@kerneldrivers.com
Join Date: 17 Feb 2012
Posts To This List: 44
Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

Of course you are in an area that is no longer supported nor was it=20 really supported back in the XP 32 days so don't expect very much=20 positive response on this topic. But there is a myriad of things which=20 could be happening. What I suggest is to keep it simple, just patch the=20 SSDT entry points and call the real function directly from your patch=20 routine, nothing extra, just a pass through routine. Get this working=20 first and then move on to doing other work in your routine. As for your=20 logger, you can do several things to recognize your process is calling,=20 all pretty ugly in the end. For example, you could do some sort of name=20 mangling that your patched routine would recognize and redirect it to=20 the real routine with the correct name. Yes, not ideal but it does work. Pete -- Kernel Drivers Windows File System and Device Driver Consulting www.KernelDrivers.com 866.263.9295 ------ Original Message ------ From: xxxxx@hotmail.com To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: 4/20/2017 6:25:35 AM Subject: [ntdev] Windows Driver/Rootkit Development - function pointer -= =20 STATUS_INVALID_PARAMETER >This is quite a difficult problem to explain online, but I can't figure= =20 >out what's going on and I really need help, so here goes! > >Basically, I have written a security software (as a kernel driver) that= =20 >will eventually hook every method in the SSDT (System Service=20 >Descriptor Table) for Windows XP - 32 bit. Everytime a system call is=20 >made, I log it in a file. > >My issue arose when I hooked ZwOpenFile because that is a system call=20 >that MY code also makes to open the log file to write to it. So I got a= =20 >Kernel stack overflow error because something would call ZwOpenFile,=20 >then I would try log it, and my logger (which is part of my driver)=20 >would then call ZwOpenFile which would then call ZwOpenFile (to log my=20 >logger) and so on and so forth until I had filled up the Stack enough=20 >to cause a blue screen of death. > >In order to get around this, I decided, that everytime the logger=20 >function is called, it will also be supplied with a pointer to the old,= =20 >unhooked, ZwOpenFile function so it could call that directly rather=20 >than go through my hooked function and create a recursive mess.=20 >However, when the logger calls the ZwOpenFile function pointer that it=20 >is supplied with as a parameter, it gets a STATUS_INVALID_PARAMETER=20 >error. If the ZwOpenFile is called directly (as opposed to through the=20 >pointer) it works perfectly! But when the pointer to what should be the= =20 >same function with the SAME parameters is called, it throws the=20 >STATUS_INVALID_PARAMETER error code! However, the pointer must be=20 >pointing to the correct function as otherwise it wouldn't throw this=20 >Windows error message. Here's small and (hopefully) digestible snippets= =20 >of my code to make more sense: > >*mydriver.h* > #define UNICODE > #define _UNICODE > #include <ntddk.h> > #include <ntstrsafe.h> > > #define OPEN_FILE_INDEX 0x74 > <...excess quoted lines suppressed...> =20 >pRegistryPath){ > ... > ... > //hooks the SSDT using the index of ZwOpenFile in the SSDT > oldZwOpenFile =3D=20 >(ZwOpenFilePtr)hookSSDTWithIndex(OPEN_FILE_INDEX, (BYTE*)newZwOpenFile,= =20 >(DWORD*)systemCallTable); > ... > ... > } > > //inside the method body of every hooked function, there is, at=20 >some point, the a call to the logger. > //This is shown in the context of newZwOpenFile > NTSTATUS newZwOpenFile(PHANDLE FileHandle, ACCESS_MASK=20 >DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK=20 K,ULONG,ULONG))=20 >{ > ... > //the failing call that returns c000000d > ntstatus =3D fileOpenFunction(&handle, FILE_APPEND_DATA, &objAttr,= =20 >&ioStatusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE,=20 >FILE_SYNCHRONOUS_IO_NONALERT); > ... > } >What's more is, that, all the hooked functions are spewing out the=20 >c000000d error (using DbgPrint), but once or twice, it does somehow=20 >succeed... Any help or suggestions would be HUGELY appreciated! > >--- >NTDEV is sponsored by OSR
  Message 3 of 3  
20 Apr 17 11:23
Matthew Nunes
xxxxxx@hotmail.com
Join Date: 20 Apr 2017
Posts To This List: 6
Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

What I'm currently doing in each hooked function is very simple. I just log that the function was called and which process it was called by and then call the original function. I don't understand what you mean by "name mangling", could you provide a more concrete example? How do I recognise that my code is calling the logger (or vice versa) as my code (inc logger) is running as a driver, so the process making the call will appear as svchost.exe surely.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 12:00.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license