App verifier, HOOK, shim and how wince works

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi,

for a few months I am doing low level programming (while I am usually a high level programmer(C++)) and first I thought I would die but now I find it almost interesting. The more I go deep inside the kernel the more I learn however I have some questions.
What I wanted to do first was to hook system calls, I have managed (thanks to source code found on forums) to hooks some functions like CreateFile, RegCreateKeyE, ...
From what I have understood everytime a user application calls a System functions like createfile an exception is thrown. For instance when I look at CreateFile in coredll.dll, I can see this :


STMFD SP!, {R4-R11,LR}
SUB SP, SP, #0x10
MOV R9, R3
MOV R10, R2
MOV R11, R1
MOV R8, R0

MOVL LR, 0xFFFFC800

LDR LR, [LR]
LDR LR, [LR,#-0x14]
TST LR, #1
BEQ loc_0_10021060

....

LDR R4, =0xF000AFDC


Interesting part is on one hand 0xFFFFC800 because this memory address corresponds to the address where the kernel is loaded on ARM platform and on the other hand 0xF000AFDC because this corresponds to an exception and the kernel knows it corresponds to a system call.

With this two values and knowing kernel data structure it should be possible to hook functions.




What I don't understand is

1)When an application do a syscall, let's say CreateFile, is coredll loaded in the memory space of the application or is it shared ?
I suppose there is only one instance of coredll, so in which process is coredll loaded ? NK.exe ?

2)When I use remote process viewer I can see that some process loads coredll.dll.040c.mui? What does it mean ?

3)some syscalls (the ones I can hook) are located inside services,in the kernel structure the SystemAPISets[ApiSet]->pServer->hProc hold the process handle. For instance CreateFile is implemented inside filesys.exe but how can I hook syscalls when pServer is NULL

4)It seems MS provides a tool called app verifier and that is used to debug and track memory leaks. It works in kernel userland.On MSDN they explains that we can developp our own dll(called a shim) to intercept any syscall we want however it seems to work only per application. What if I want to intercept some syscalls from ALL the applications ?

5)Would it be possible to use detour patching on coredll ?














.

Relevant Pages

  • Re: App verifier, HOOK, shim and how wince works
    ... The more I go deep inside the kernel the more I ... What I wanted to do first was to hook system calls, ... to source code found on forums) to hooks some functions like CreateFile, ... 1)When an application do a syscall, let's say CreateFile, is coredll ...
    (microsoft.public.windowsce.embedded)
  • Re: [PATCH 2 of 4] Introduce i386 fibril scheduling
    ... basically the exact same setup that Zach does in his fibril stuff, ... They can be applied to kernel threads just as much. ... i should have said explicitly that to flip user-space from one kernel ... That would allow the submission of new syscalls ...
    (Linux-Kernel)
  • Re: mysql scaling questions
    ... same file which is running into exclusive locking in the kernel ... Isn't this common for software developed for Linux? ... Even if Linux magically has faster syscalls somehow, they are still not zero cost so avoiding huge numbers of unnecessary trips ... Also I believe glibc caches getpid() in libc (again that ...
    (freebsd-performance)
  • Re: [PATCH 08/12] add trace events for each syscall entry/exit
    ... kernel threads, like invoking them with int 0x80. ... behaviour to change soon and have explicit syscalls interrupts done ... Is it worth it to trace kernel threads, maintain their tracing ... A creation of a thread is the result of the kthreadd thread fork. ...
    (Linux-Kernel)
  • Re: [PATCH 2 of 4] Introduce i386 fibril scheduling
    ... Also, when returning, check and clear the thread-blocked hook. ... - The hook copies the necessary state to a new kernel ... notices that its scheduler hook is no longer set. ... use a different scheduler hook function) and set up the state machine ...
    (Linux-Kernel)