1

Topic: Strangenesses with DispatchTable for \FileSystem\NTFS

2

Re: Strangenesses with DispatchTable for \FileSystem\NTFS

3

Re: Strangenesses with DispatchTable for \FileSystem\NTFS

Hello, EreTIk, you wrote: ETI> Hello, - prus - you wrote: ETI> From assumptions: ETI> ETI> SPTD can put interceptions not on all operating time of system ETI> SPTD can remove interceptions before record of dump-file BSOD' ETI> Still tried to define, in what unit the address through NtQuerySystemInformation (SystemModuleInformation) lies, is schematical so: for (i = 0; i <Count; i ++) {pSystemModule = and ((PSYSTEM_MODULE_INFORMATION) pBuffer)-> Modules [i]; if (Address> (ULONG_PTR) pSystemModule-> ImageBaseAddress && Address <(ULONG_PTR) pSystemModule-> ImageBaseAddress + pSystemModule-> ImageSize) {//here does not come}} and it appeared that the address is included into one of ranges of units of a kernel. SPTD could select storage and  the code somewhere in a kernel out of the range?

4

Re: Strangenesses with DispatchTable for \FileSystem\NTFS

Hello, - prus - you wrote: P> Still tried to define, in what unit the address through NtQuerySystemInformation (SystemModuleInformation) lies, is schematical so: P> P> for (i = 0; i <Count; i ++) P> {P> pSystemModule = and ((PSYSTEM_MODULE_INFORMATION) pBuffer)-> Modules [i]; P> if (Address> (ULONG_PTR) pSystemModule-> ImageBaseAddress && P> Address <(ULONG_PTR) pSystemModule-> ImageBaseAddress + pSystemModule-> ImageSize) P> {P>//here does not come P>} P>} P> P> and it appeared that the address is included into one of ranges of units of a kernel. P> SPTD could select storage and  the code somewhere in a kernel out of the range? Certainly could, No-Execute (NX) Nonpaged Pool: In Windows 7 and earlier versions of Windows, all memory allocated from the nonpaged pool is executable

5

Re: Strangenesses with DispatchTable for \FileSystem\NTFS

Hello, - prus - you wrote: P> also it appeared that the address is included into one of ranges of units of a kernel. P> SPTD could select storage and  the code somewhere in a kernel out of the range? Well and mischievous it, this SPTD! By the way, on the last Windows versions copying of addresses in MajorFunction some drivers, including ntfs.sys, conducts to BSOD 0x109 (CRITICAL_STRUCTURE_CORRUPTION).