App verifier, HOOK, shim and how wince works

Hi,

for a few months I am doing low level programming (while I am usually a high level programmer(C++)) and first I thought I would die but now I find it almost interesting. The more I go deep inside the kernel the more I learn however I have some questions.
What I wanted to do first was to hook system calls, I have managed (thanks to source code found on forums) to hooks some functions like CreateFile, RegCreateKeyE, ...
From what I have understood everytime a user application calls a System functions like createfile an exception is thrown. For instance when I look at CreateFile in coredll.dll, I can see this :


STMFD SP!, {R4-R11,LR}
SUB SP, SP, #0x10
MOV R9, R3
MOV R10, R2
MOV R11, R1
MOV R8, R0

MOVL LR, 0xFFFFC800

LDR LR, [LR]
LDR LR, [LR,#-0x14]
TST LR, #1
BEQ loc_0_10021060

....

LDR R4, =0xF000AFDC


Interesting part is on one hand 0xFFFFC800 because this memory address corresponds to the address where the kernel is loaded on ARM platform and on the other hand 0xF000AFDC because this corresponds to an exception and the kernel knows it corresponds to a system call.

With this two values and knowing kernel data structure it should be possible to hook functions.




What I don't understand is

1)When an application do a syscall, let's say CreateFile, is coredll loaded in the memory space of the application or is it shared ?
I suppose there is only one instance of coredll, so in which process is coredll loaded ? NK.exe ?

2)When I use remote process viewer I can see that some process loads coredll.dll.040c.mui? What does it mean ?

3)some syscalls (the ones I can hook) are located inside services,in the kernel structure the SystemAPISets[ApiSet]->pServer->hProc hold the process handle. For instance CreateFile is implemented inside filesys.exe but how can I hook syscalls when pServer is NULL

4)It seems MS provides a tool called app verifier and that is used to debug and track memory leaks. It works in kernel userland.On MSDN they explains that we can developp our own dll(called a shim) to intercept any syscall we want however it seems to work only per application. What if I want to intercept some syscalls from ALL the applications ?

5)Would it be possible to use detour patching on coredll ?














.

Relevant Pages

  • Re: App verifier, HOOK, shim and how wince works
    ... The more I go deep inside the kernel the more I ... What I wanted to do first was to hook system calls, ... to source code found on forums) to hooks some functions like CreateFile, ... 1)When an application do a syscall, let's say CreateFile, is coredll ...
    (microsoft.public.windowsce.embedded)
  • Re: [PATCH 2 of 4] Introduce i386 fibril scheduling
    ... basically the exact same setup that Zach does in his fibril stuff, ... They can be applied to kernel threads just as much. ... i should have said explicitly that to flip user-space from one kernel ... That would allow the submission of new syscalls ...
    (Linux-Kernel)
  • Re: mysql scaling questions
    ... same file which is running into exclusive locking in the kernel ... Isn't this common for software developed for Linux? ... Even if Linux magically has faster syscalls somehow, they are still not zero cost so avoiding huge numbers of unnecessary trips ... Also I believe glibc caches getpid() in libc (again that ...
    (freebsd-performance)
  • Re: [PATCH 2 of 4] Introduce i386 fibril scheduling
    ... Also, when returning, check and clear the thread-blocked hook. ... - The hook copies the necessary state to a new kernel ... notices that its scheduler hook is no longer set. ... use a different scheduler hook function) and set up the state machine ...
    (Linux-Kernel)
  • Re: kernel 2.6.8 pwc patches and counterpatches
    ... By providing a hook, there is a chance to insert an other ... This hook has been there since the beginning of PWC in the ... kernel, so I don't consider it a 'change'. ... forgetting what open source is about, ...
    (Linux-Kernel)