Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

Upcoming OSR Seminars:
WDM Lab, Seattle, WA 16 August 2010
WDF Lab, Santa Clara, CA 27 September 2010
Debug Lab, Portland, OR 18 October 2010
Windows Internals & Software Drivers Lab, Santa Clara, CA 15 November 2010


Go Back   OSR Online Lists > ntdev
link NtCreateSection() - relation between parent and child process
Welcome, Guest
You must login to post to this list
  Message 1 of 14  
26 Jan 04 09:47
Oliver Schneider
xxxxxx@gmxpro.net
Join Date: 26 Jan 2004
Posts To This List: 170
NtCreateSection() - relation between parent and child process
Hi again, Another question came to my mind. I hooked NtCreateSection() (as was suggested by the guys from www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode (changed the SDT entry). Since currently my driver produces some debug output, I see a query of the section for the child process each second or so and obviously coming from the parent process. How is that? What does it mean? Could it be that this is how the parent determines wether the child process is still active (one of the infamous Wait* functions maybe?!). Does anyone have some details on that? Oliver
  Message 2 of 14  
26 Jan 04 09:51
Don Burn
xxxxxx@acm.org
Join Date:
Posts To This List: 2732
Re: NtCreateSection() - relation between parent and child process
The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver for you testing only, commercial software with this is a PIECE OF SHIT. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 9:46 AM Subject: [ntdev] NtCreateSection() - relation between parent and child process > Hi again, > > Another question came to my mind. > > I hooked NtCreateSection() (as was suggested by the guys from > www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode > (changed the SDT entry). Since currently my driver produces some debug output, > I see a query of the section for the child process each second or so and > obviously coming from the parent process. How is that? What does it mean? > > Could it be that this is how the parent determines wether the child process > is still active (one of the infamous Wait* functions maybe?!). > > Does anyone have some details on that? > > Oliver > > > --- > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com
  Message 3 of 14  
26 Jan 04 09:59
Oliver Schneider
xxxxxx@gmxpro.net
Join Date: 26 Jan 2004
Posts To This List: 170
Re: NtCreateSection() - relation between parent and child process
Hi Don, it's not only for testing, but it will definitely not be commercial ;) I also see some drawbacks with hooking: imagine one driver hooks some system service. Another driver does so, too. Then the first driver is unloaded. The second driver will still point to the function address of the first one. But besides all cursing, do you have any idea on that? The idea is to block execution of processes in the system. The means the GPO provides for this purpose are lame: i.e. you can define a file name but not a path. Imagine you restrict execution of setup.exe ... this will be systemwide no matter in which path the module is located. There's already a free product for this: Trust-no-Exe (they basically do the same as I) - but it has some minor drawbacks I'd like to overcome. Oliver > The whole concept of hooking is a BAD IDEA. Hopefully this is for a > driver > for you testing only, commercial software with this is a PIECE OF SHIT. > > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > ----- Original Message ----- > From: <xxxxx@gmxpro.net> > To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> <...excess quoted lines suppressed...>
  Message 4 of 14  
26 Jan 04 10:11
Don Burn
xxxxxx@acm.org
Join Date:
Posts To This List: 2732
Re: NtCreateSection() - relation between parent and child process
Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you are trying to with hooking NtCreateSection and it is documented. While it is not documented, if you terminate the calling thread of this routine, you terminate the process cleanly. As far as user account, you are going to have to have a user piece if you want anything more than the SID. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply ----- Original Message ----- From: <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 9:58 AM Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process > Hi Don, > > it's not only for testing, but it will definitely not be commercial ;) > I also see some drawbacks with hooking: imagine one driver hooks some system > service. Another driver does so, too. Then the first driver is unloaded. The > second driver will still point to the function address of the first one. > > But besides all cursing, do you have any idea on that? > > The idea is to block execution of processes in the system. The means the GPO > provides for this purpose are lame: i.e. you can define a file name but not > a path. Imagine you restrict execution of setup.exe ... this will be > systemwide no matter in which path the module is located. > There's already a free product for this: Trust-no-Exe (they basically do the > same as I) - but it has some minor drawbacks I'd like to overcome. > > Oliver > > > The whole concept of hooking is a BAD IDEA. Hopefully this is for a > > driver > > for you testing only, commercial software with this is a PIECE OF SHIT. > > > > Don Burn (MVP, Windows DDK) > > Windows 2k/XP/2k3 Filesystem and Driver Consulting <...excess quoted lines suppressed...> and > > > obviously coming from the parent process. How is that? What does it > > mean? > > > > > > Could it be that this is how the parent determines wether the child > > process > > > is still active (one of the infamous Wait* functions maybe?!). > > > > > > Does anyone have some details on that? > > > > > > Oliver http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com
  Message 5 of 14  
26 Jan 04 11:06
Oliver Schneider
xxxxxx@gmxpro.net
Join Date: 26 Jan 2004
Posts To This List: 170
Re: NtCreateSection() - relation between parent and child process
Wait, I was aware of this function PsSetLoadImageNotifyRoutine() but it is invoked somewhen AFTER the process runs, or not? This is how I understood it. The alternative sounds much better indeed. Will try it out. Thanks for the help, Oliver > Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you are > trying to with hooking NtCreateSection and it is documented. While it is > not documented, if you terminate the calling thread of this routine, you > terminate the process cleanly. As far as user account, you are going to > have to have a user piece if you want anything more than the SID.
  Message 6 of 14  
26 Jan 04 11:22
Maxim S. Shatskih
xxxxxx@storagecraft.com
Join Date: 20 Feb 2003
Posts To This List: 6526
Re: NtCreateSection() - relation between parent and child process
No. It is invoked from MmCreateProcessAddressSpace when EXE is mapped to the process, this is inside NtCreateProcess. Maxim Shatskih, Windows DDK MVP StorageCraft Corporation xxxxx@storagecraft.com http://www.storagecraft.com ----- Original Message ----- From: "Oliver Schneider" <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 7:05 PM Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process > Wait, > > I was aware of this function PsSetLoadImageNotifyRoutine() but it is invoked > somewhen AFTER the process runs, or not? This is how I understood it. The > alternative sounds much better indeed. Will try it out. > > Thanks for the help, > > Oliver <...excess quoted lines suppressed...> http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com > To unsubscribe send a blank email to xxxxx@lists.osr.com
  Message 7 of 14  
26 Jan 04 11:35
Oliver Schneider
xxxxxx@gmxpro.net
Join Date: 26 Jan 2004
Posts To This List: 170
Re: NtCreateSection() - relation between parent and child process
Aha, so it only gets invoked when NtCreateProcess() (the system service) is used?! That's bad. There are nice examples on how to create a process without this system service. Thanks for the information. @Don: Seems I have to fall back to the Hooking method. Although it's not nice I am sure it will work since I am the admin on the machines where it is to be used ;) Oliver > No. It is invoked from MmCreateProcessAddressSpace when EXE is mapped > to > the process, this is inside NtCreateProcess. > > Maxim Shatskih, Windows DDK MVP > StorageCraft Corporation > xxxxx@storagecraft.com > http://www.storagecraft.com > > <...excess quoted lines suppressed...>
  Message 8 of 14  
26 Jan 04 11:47
Don Burn
xxxxxx@acm.org
Join Date:
Posts To This List: 2732
Re: NtCreateSection() - relation between parent and child process
NO, the PsSetLoadImageNotifyRoutine is always invoked. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 11:34 AM Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process > Aha, > > so it only gets invoked when NtCreateProcess() (the system service) is > used?! That's bad. There are nice examples on how to create a process without this > system service. > > Thanks for the information. > > @Don: Seems I have to fall back to the Hooking method. Although it's not > nice I am sure it will work since I am the admin on the machines where it is to > be used ;) > > Oliver > > > No. It is invoked from MmCreateProcessAddressSpace when EXE is mapped > > to > > the process, this is inside NtCreateProcess. > > > > Maxim Shatskih, Windows DDK MVP > > StorageCraft Corporation > > xxxxx@storagecraft.com > > http://www.storagecraft.com > > > > > > ----- Original Message ----- <...excess quoted lines suppressed...> child > > process > > > > > > > Wait, > > > > > > I was aware of this function PsSetLoadImageNotifyRoutine() but it is > > invoked > > > somewhen AFTER the process runs, or not? This is how I understood it. > > The > > > alternative sounds much better indeed. Will try it out. it > > is > > > > not documented, if you terminate the calling thread of this routine, > > you > > > > terminate the process cleanly. As far as user account, you are going > > to > > > > have to have a user piece if you want anything more than the SID. > > > > > > > > > --- > > > Questions? First check the Kernel Driver FAQ at > > http://www.osronline.com/article.cfm?id=256 > > > > > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com > > > To unsubscribe send a blank email to xxxxx@lists.osr.com http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com >
  Message 9 of 14  
27 Jan 04 11:06
ntdev member 2083
xxxxxx@compuware.com
Join Date:
Posts To This List: 1036
RE: NtCreateSection() - relation between parent and child process
We hook all sorts of things all the time, and we don't have any problems. And our software is very much commercial grade, and no, it isn't a piece of shit ! Point being: do the job right, and hooking is invisible. Alberto. -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn Sent: Monday, January 26, 2004 9:49 AM To: Windows System Software Devs Interest List Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver for you testing only, commercial software with this is a PIECE OF SHIT. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 9:46 AM Subject: [ntdev] NtCreateSection() - relation between parent and child process > Hi again, > > Another question came to my mind. > > I hooked NtCreateSection() (as was suggested by the guys from > www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode > (changed the SDT entry). Since currently my driver produces some debug output, > I see a query of the section for the child process each second or so and > obviously coming from the parent process. How is that? What does it mean? > > Could it be that this is how the parent determines wether the child process > is still active (one of the infamous Wait* functions maybe?!). > > Does anyone have some details on that? > > Oliver > > > --- > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com --- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@compuware.com To unsubscribe send a blank email to xxxxx@lists.osr.com The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
  Message 10 of 14  
27 Jan 04 11:18
ntdev member 14079
xxxxxx@3Dlabs.com
Join Date:
Posts To This List: 481
RE: NtCreateSection() - relation between parent and child process
Ok, so I understand fully that a debugger must do these things (or at least, if you want a complete debugging tool, e.g., SoftICE, you must do this, unless you can convince MS to have an undocumented (or documented) way of officially "hooking" system calls). I just wonder how you deal with competing "hookers" (no pun intended) that may have got there before you, and potentially gets the unloaded at a later stage, which means that your "old hook" pointer is no pointing into dead space in memory? Obviously, I can understand that the answer is a "company secret", and if it is, can you just explain as much as possible about it, without revealing the "secret" bits? I'm just curious, rather than having any specific use for this. In fact, I haven't "hooked" anything since I left off the Atari ST that used to be my home-computer many years ago. At that time, hooking into the OS was just about the only way to do things if you didn't have a "public" support for it. -- Mats > -----Original Message----- > From: Moreira, Alberto [mailto:xxxxx@compuware.com] > Sent: Tuesday, January 27, 2004 4:06 PM > To: Windows System Software Devs Interest List > Subject: RE: [ntdev] NtCreateSection() - relation between parent and > child process > > > We hook all sorts of things all the time, and we don't have > any problems. <...excess quoted lines suppressed...> http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@3dlabs.com To unsubscribe send a blank email to xxxxx@lists.osr.com
  Message 11 of 14  
27 Jan 04 11:18
Don Burn
xxxxxx@acm.org
Join Date:
Posts To This List: 2732
Re: NtCreateSection() - relation between parent and child process
Sorry, hooking is never invisible since you cannot tell who is going to layer on next, or who got there before you. Yes in the case of SoftIce since you are present at all times this may not be a problem, but having been bitten by products that think they can hook with impunity, and then fail when the world changes, I will repeat my comment that this is BAD IDEA. More importantly, if you really need to do this for a general purpose driver, you should at least make the effort to see if there is another approach that will work, or ask Microsoft for a long term solution. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: "Moreira, Alberto" <xxxxx@compuware.com> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Tuesday, January 27, 2004 11:05 AM Subject: RE: [ntdev] NtCreateSection() - relation between parent and child process > We hook all sorts of things all the time, and we don't have any problems. > And our software is very much commercial grade, and no, it isn't a piece of > shit ! > > Point being: do the job right, and hooking is invisible. > > > Alberto. > > > -----Original Message----- > From: xxxxx@lists.osr.com <...excess quoted lines suppressed...> driver > for you testing only, commercial software with this is a PIECE OF SHIT. > > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > ----- Original Message ----- > From: <xxxxx@gmxpro.net> > To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> > Sent: Monday, January 26, 2004 9:46 AM > Subject: [ntdev] NtCreateSection() - relation between parent and child mode > to kernel mode > > (changed the SDT entry). Since currently my driver produces some debug > output, > > I see a query of the section for the child process each second or so and > > obviously coming from the parent process. How is that? What does it mean? > > > > Could it be that this is how the parent determines wether the child > process > > is still active (one of the infamous Wait* functions maybe?!). > > > > Does anyone have some details on that? > > > > Oliver > > > > disclose > it to anyone else. If you received it in error please notify us immediately > and then destroy it. > > > --- > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com >
  Message 12 of 14  
27 Jan 04 11:22
Prokash Sinha
xxxxxx@garlic.com
Join Date: 23 Feb 2000
Posts To This List: 760
RE: NtCreateSection() - relation between parent and child process
Sounds like this week we will have a very strong exchanges of email !!! For a while it was quite. To the best of knowledge, the pattern is discrete state continous time brownian motion :-). So waiting for a peak ! --prokash -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto Sent: Tuesday, January 27, 2004 8:06 AM To: Windows System Software Devs Interest List Subject: RE: [ntdev] NtCreateSection() - relation between parent and child process We hook all sorts of things all the time, and we don't have any problems. And our software is very much commercial grade, and no, it isn't a piece of shit ! Point being: do the job right, and hooking is invisible. Alberto. -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn Sent: Monday, January 26, 2004 9:49 AM To: Windows System Software Devs Interest List Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver for you testing only, commercial software with this is a PIECE OF SHIT. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: <xxxxx@gmxpro.net> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Monday, January 26, 2004 9:46 AM Subject: [ntdev] NtCreateSection() - relation between parent and child process > Hi again, > > Another question came to my mind. > > I hooked NtCreateSection() (as was suggested by the guys from > www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode > (changed the SDT entry). Since currently my driver produces some debug output, > I see a query of the section for the child process each second or so and > obviously coming from the parent process. How is that? What does it mean? > > Could it be that this is how the parent determines wether the child process > is still active (one of the infamous Wait* functions maybe?!). > > Does anyone have some details on that? > > Oliver > > > --- > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com --- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@compuware.com To unsubscribe send a blank email to xxxxx@lists.osr.com The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. --- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@garlic.com To unsubscribe send a blank email to xxxxx@lists.osr.com
  Message 13 of 14  
27 Jan 04 11:28
ntdev member 2083
xxxxxx@compuware.com
Join Date:
Posts To This List: 1036
RE: NtCreateSection() - relation between parent and child process
We hook with BoundsChecker, TrueTime, TrueCoverage, and we can run software in production mode while hooked by those products, that's what they're designed for. When I was at Number Nine we hooked the GDI extensively, and we got lots of press awards for our product. In fact sometimes we went as far as rewriting substantial portions of the GDI for speed, and we were never known for instability or for low quality. And if a product thinks they can hook and they cannot, that's because they didn't do their job right. And no, why should I involve Microsoft ? It should be exactly the other way around, give me a strong, stable, well documented API, with no surprises, get out of the way, and hooking shouldn't be any problem whatsoever. Alberto. -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn Sent: Tuesday, January 27, 2004 11:14 AM To: Windows System Software Devs Interest List Subject: Re: [ntdev] NtCreateSection() - relation between parent and child process Sorry, hooking is never invisible since you cannot tell who is going to layer on next, or who got there before you. Yes in the case of SoftIce since you are present at all times this may not be a problem, but having been bitten by products that think they can hook with impunity, and then fail when the world changes, I will repeat my comment that this is BAD IDEA. More importantly, if you really need to do this for a general purpose driver, you should at least make the effort to see if there is another approach that will work, or ask Microsoft for a long term solution. Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting ----- Original Message ----- From: "Moreira, Alberto" <xxxxx@compuware.com> To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: Tuesday, January 27, 2004 11:05 AM Subject: RE: [ntdev] NtCreateSection() - relation between parent and child process > We hook all sorts of things all the time, and we don't have any problems. > And our software is very much commercial grade, and no, it isn't a piece of > shit ! > > Point being: do the job right, and hooking is invisible. > > > Alberto. > > > -----Original Message----- > From: xxxxx@lists.osr.com <...excess quoted lines suppressed...> driver > for you testing only, commercial software with this is a PIECE OF SHIT. > > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > ----- Original Message ----- > From: <xxxxx@gmxpro.net> > To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> > Sent: Monday, January 26, 2004 9:46 AM > Subject: [ntdev] NtCreateSection() - relation between parent and child mode > to kernel mode > > (changed the SDT entry). Since currently my driver produces some debug > output, > > I see a query of the section for the child process each second or so and > > obviously coming from the parent process. How is that? What does it mean? > > > > Could it be that this is how the parent determines wether the child > process > > is still active (one of the infamous Wait* functions maybe?!). > > > > Does anyone have some details on that? > > > > Oliver > > > > disclose > it to anyone else. If you received it in error please notify us immediately > and then destroy it. > > > --- > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 > > You are currently subscribed to ntdev as: xxxxx@acm.org > To unsubscribe send a blank email to xxxxx@lists.osr.com > --- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@compuware.com To unsubscribe send a blank email to xxxxx@lists.osr.com The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
  Message 14 of 14  
27 Jan 04 11:38
ntdev member 2083
xxxxxx@compuware.com
Join Date:
Posts To This List: 1036
RE: NtCreateSection() - relation between parent and child process
We extensively hooked the GDI when I was at Number Nine, and we never had any stability issues. But for example, I want to collect timing statistics of a live system: I turn on TrueTime, it hooks the world and a half, yet things go on. I want to check coverage on a live system, so, I turn on TrueCoverage, it hooks just about everything under the sun, things go on normally. I want to profile memory allocation and deallocation patterns, so, I hook the memory alloc/dealloc functions and collect data for future data reduction. I want to perform a live measurement of my OpenGL or Direct3D frame rate, so I hook SwapBuffers and I compute the frame rate inside that hook, and I then access physical video memory to optionally superimpose a frame rate gauge to the current screen. I want to measure how many times I call glBegin/glEnd, and I want to split the number of calls according to which polygon I'm drawing. I want to time a bitblt according to which ROP it invokes. I want to trap that elusive problem that happens every night around 3 in the morning, so, I turn on BoundsChecker on the live system, and bingo, I get my event recorded and data I can analyze, and, if that hook generates an Int 3, I can write my own Int 3 driver - hook Int 3, that is - and grab information on the fly. And so on, there's more to hooking than single-stepping through a debugger. Alberto. -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@3Dlabs.com Sent: Tuesday, January 27, 2004 11:17 AM To: Windows System Software Devs Interest List Subject: RE: [ntdev] NtCreateSection() - relation between parent and child process Ok, so I understand fully that a debugger must do these things (or at least, if you want a complete debugging tool, e.g., SoftICE, you must do this, unless you can convince MS to have an undocumented (or documented) way of officially "hooking" system calls). I just wonder how you deal with competing "hookers" (no pun intended) that may have got there before you, and potentially gets the unloaded at a later stage, which means that your "old hook" pointer is no pointing into dead space in memory? Obviously, I can understand that the answer is a "company secret", and if it is, can you just explain as much as possible about it, without revealing the "secret" bits? I'm just curious, rather than having any specific use for this. In fact, I haven't "hooked" anything since I left off the Atari ST that used to be my home-computer many years ago. At that time, hooking into the OS was just about the only way to do things if you didn't have a "public" support for it. -- Mats > -----Original Message----- > From: Moreira, Alberto [mailto:xxxxx@compuware.com] > Sent: Tuesday, January 27, 2004 4:06 PM > To: Windows System Software Devs Interest List > Subject: RE: [ntdev] NtCreateSection() - relation between parent and > child process > > > We hook all sorts of things all the time, and we don't have > any problems. <...excess quoted lines suppressed...> http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@3dlabs.com To unsubscribe send a blank email to xxxxx@lists.osr.com --- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@compuware.com To unsubscribe send a blank email to xxxxx@lists.osr.com The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 13:43.

Contact Us - Osr Online Homepage - Top

Copyright ©2005, OSR Open Systems Resourcs, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license