Re: Re:How To Suspend Thread In Kernel?

From: "Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxxxxx>
Date: Sat, 25 Mar 2006 13:19:17 +0200

Anton,

I can support you that many tricks are still popular in AV software, they
use a lot of undocumented and OS related features.

You gave the right answer that "everything depends on the situation". If one
has installed for example a rootkit that hooks somthing in SDT then most
likely solution of this problem will be something connected with
undocumented and not safe code.

--
Vladimir
http://spaces.msn.com/vladimir-scherbina/

"anton bassov" <xxx@xxxxxxx> wrote in message
news:98f82911930445baa4543c91369047b8@xxxxxxxxxxxxxx

Hi mate

I can both agree and disagree with you - everything depends on the
situation.
You should clearly realize that ABSOLUTELY ALL (!!!) functions that have
their addresses saved in the Service Dispatch Table are called ONLY (!!!)
by
the kernel-mode code - don't forget that the System Service Dispatcher is
kernel-mode routine.Therefore, ZwSuspendThread()'s actual implementation
gets called from the kernel mode by the system, which means that the very
fact that the system is in the kernel mode when the call is made does not
pose any problem.

However, I can agree with you that, once such tricks are not supported,
you
should think twice before doing something like that. I DEFINITELY would
not
even think about doing something like that to any thread that does not
have
user-mode representation - this is what I said from the very,very
beginning.

Regards

Anton Bassov

Follow-Ups:
- Re: Re:How To Suspend Thread In Kernel?
  - From: anton bassov

References:
- Re: Re:How To Suspend Thread In Kernel?
  - From: Doron Holan [MS]
- Re: Re:How To Suspend Thread In Kernel?
  - From: anton bassov

Prev by Date: Re: Re:How To Suspend Thread In Kernel?
Next by Date: Re: Re:How to find the system time in milliseconds???
Previous by thread: Re: Re:How To Suspend Thread In Kernel?
Next by thread: Re: Re:How To Suspend Thread In Kernel?
Index(es):
- Date
- Thread

Relevant Pages

Re: Find all open handles (Mutex, File, Key etc)
... because it needs to run in kernel mode? ... NtQuerySystemInformation or a proper API for this in future? ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
(microsoft.public.win32.programmer.kernel)
Re: Allocating and accessing physically contiguous memory in user mode in WinCE 6.0 Beta
... usb support, no filesystem support, no network driver support, etc. ... Those are in Kernel mode for performance reasons. ... HalAllocCommonBufferfrom user mode code in CE V6.0 since the security ... of Embedded systems out there that used to party on the hardware with out ...
(microsoft.public.windowsce.platbuilder)
Re: help with open boot prompt
... The Lastest Solaris release that will run on the SS10 is Solaris 9. ... Dropping support for sun4m reduces the amount of code that has to be ... can drop support for 32 bit kernel mode for more savings. ...
(comp.sys.sun.hardware)
Re: Re:How To Suspend Thread In Kernel?
... I can both agree and disagree with you - everything depends on the situation. ... their addresses saved in the Service Dispatch Table are called ONLY by ... gets called from the kernel mode by the system, ... user-mode representation - this is what I said from the very,very beginning. ...
(microsoft.public.win32.programmer.kernel)
Re: help with open boot prompt
... The Lastest Solaris release that will run on the SS10 is Solaris 9. ... Dropping support for sun4m reduces the amount of code that has to be ... can drop support for 32 bit kernel mode for more savings. ...
(comp.sys.sun.hardware)