1

Topic: calloc/malloc, and other stdlib in the NT-driver. How?

After all the driver not only manipulates with everyone , but also makes normal actions of type to create a file, receive time etc. They can to be in the ready code (as zip in my case). As a result unresolved external. Decisions I do not find.  and truth is not present that I can create as required on the sly the stdlib for nt and I will be the first.

2

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> makes normal actions of type to create a file, to receive time etc. These "normal actions" it makes "unusual" methods. S> they can be in the ready code (as zip in my case). If "in a ready type" means " under WinAPI" - certainly, in a kernel it does not go. "Self-sufficient" purely computing code without external references goes only, and that  generally will need to be turned state saving/restoration. S> I can create as required on the sly the stdlib for nt and I will be the first. The first will not be - it it is made a large number already hardly more, than to . The general-purpose decision for the obvious reasons is impossible, therefore everyone fences under itself(himself), in the form of any subset, and any decision did not become the standard. If by all means want to have under a kernel any  - look before aside KMDF from MS.

3

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, Evgenie Muzychenko, you wrote: I eat> These "normal actions" it makes "unusual" methods. Most "normal", fopen it is possible to construct on the basis of ZwCreateFile/ZwOpenFile, printf - at first on DbgPrintEx with DPFLTR_ERROR_LEVEL (and from an ideal to select - it, a broad gull in a file,  or a stub) etc. I eat> If "in a ready type" means " under WinAPI" - certainly, in a kernel it does not go. "Self-sufficient" purely computing code without external references goes only, and that  generally will need to be turned state saving/restoration. And here WinAPI?  library on "pure c". In it is not present WinAPI, but there is printf, malloc, etc. And such  not a rarity. You have not enough experience, likely. The driver I write for the first time, but I am not played, and real  and me pay, and there at once 2  - aes256 and zip. I eat> with the First will not be - it it is made a large number already hardly more, than to . The general-purpose decision for the obvious reasons is impossible, therefore everyone fences under itself(himself), in the form of any subset, and any decision did not become the standard. Links - to download, buy. Or only  someone's driver? And costs?  from under  compilers  not . Wash will be on sale I eat> If by all means want to have under a kernel any  - look before aside KMDF from MS. And what it gives, what exactly simplifies?

4

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> Most "normal", fopen it is possible to construct on the basis of ZwCreateFile/ZwOpenFile, printf - at first on DbgPrintEx with DPFLTR_ERROR_LEVEL Yes all is possible, certainly. A question in, whether it is necessary. S> Juzaju library on "pure c". In it is not present WinAPI, but there is printf, malloc, etc. And such  not a rarity. To drag general purpose libraries, especially another's, in a kernel - it is unambiguous . Under user mode write "in a big way" more often, often selecting/releasing the big units of a dynamic storage, using volumes of a stack inadequate for a kernel, launching a deep recursion, etc. If very much it would be desirable to use ready general-purpose library in a kernel, enveloping its stubs, it would be necessary to be convinced beforehand that its operation is laid down in the agreements accepted in a kernel. S> you have not enough experience, likely. Well, only years thirty. S> the Driver I write for the first time, but I am not played, and real  and me pay As there was - "there is no such crime on which the capital would not go...". S> there at once 2  - aes256 and zip. They categorically need to be used in the nuclear code? I eat>> If by all means want to have under a kernel any  - look before aside KMDF from MS. S> And what it gives, what exactly simplifies? Simplifies programming of the nuclear code for those who earlier with it did not work. But it does not help with your case - the universal remedy for  in the nuclear code of libraries of general purpose is not present, and it is not necessary, for it is wrong.

5

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, Evgenie Muzychenko, you wrote: I eat> If very much it would be desirable to use ready general-purpose library in a kernel, enveloping its stubs, it would be necessary to be convinced beforehand that its operation is laid down in the agreements accepted in a kernel. The test shows. I as  consider that each serious "general"  should be able to work EVERYWHERE. Not, well people did huge operation - implemented the necessary algorithm - on pure Si! - but at the same time to take care of that was . Favor ( everywhere to adjust, vrapperov \versions to write) it for some reason . Too well live. I eat> Them categorically it is necessary to use in the nuclear code? To carry out in user-mode-service? I for, but too not to make it so is simple. How to make dialogue? In this case : the driver sends  to service, that collects it in the storages everyone of 5 minutes preempts in a broad gull. I eat> Simplifies programming of the nuclear code for those who earlier with it did not work. Was more specific. To me still  on file system to deliver conveniently. Most not to suffer with SSDT. Not to filter creation of a file from discovery created, from creation pipe, device. For file copying to have ready event, instead of  whether "semantic " (ZwWriteFile with the same buffer that was in ZwReadFile just, but in other way), whether checks on CopyFile in a stack. And many other things

6

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> I as  consider that each serious "general"  should be able to work EVERYWHERE. You personally how , how many made such "the general linguistic data bases working EVERYWHERE"? S> Not, well people did huge operation - implemented the necessary algorithm - on pure Si! - but at the same time to take care of that was . Favor ( everywhere to adjust, vrapperov \versions to write) it for some reason . Perhaps for this reason did not take care, what desires, similar to yours, arise in absolute minority of cases, and people do not have any practical sense to be engaged ? Here they also are engaged first of all in that is really claimed. S> to carry out in user-mode-service? If the logic of operation does not demand code usage at handling of functions of the device, and at removal in user mode speed of operation of the device - unambiguously and unconditionally does not suffer. S> how to make dialogue? In this case : the driver sends  to service, that collects it in the storages everyone of 5 minutes preempts in a broad gull. For dialogue of processes with drivers there are standard mechanisms. The driver can accumulate the data in own buffer, and process with any periodicity - to request the next portion. Or process can transfer to the driver one or several buffers with which the driver will fill. If a data stream large, and speed is high - it is possible to use the general buffer (for example, ring), displayed simultaneously at the driver and at process. In your case as I understand, for five minutes many gigabyte does not run, something therefore should suffice the elementary, like sending to the driver one or several IRP_MJ_READ/IRP_MJ_DEVICECONTROL through ReadFile/ReadFileEx/DeviceIoControl, in normal synchronous or asynchronous (overlapped) modes that it completed requests in process of filling of buffers. I eat>> Simplifies programming of the nuclear code for those who earlier with it did not work. S> is is more specific. Read docks at MS, them is in an amount. In WDK there are examples. S> to me still  on file system to deliver conveniently. Most not to suffer with SSDT. Not to filter creation of a file from discovery created, from creation pipe, device. For file copying to have ready event, instead of  whether "semantic " (ZwWriteFile with the same buffer that was in ZwReadFile just, but in other way), whether checks on CopyFile in a stack. And many other things Mighty well you threatened. At once prepare to that will not be easy. Ready decisions for certain are, but to search for them it is necessary first of all at developers malware/antimalware. Well and before to be put on any algorithm, it makes sense to familiarize with policy MS in this respect - they for a long time already and systematically tighten nuts (Kernel Patch Protection, Hypervisor Code Integrity, Device Guard, etc.) To forbid "it is simple to drivers" excessively deeply to climb in system. Bypass of these mechanisms will authorize only to partners (the same developers of antiviruses), by means of specially produced certificates, and it will explicitly cost decent money.

7

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, Evgenie Muzychenko, you wrote: I eat> you personally how , how many made such "the general linguistic data bases working EVERYWHERE"? While only that, which at me in brains. I eat> Here they and are engaged first of all in that is really claimed. There is fast money, and is "is long harnessed, yes quickly we go". The more efforts, the better result, and nothing disappears in vain. At me so, you as want. I eat> unambiguously and unconditionally. Clearly, what to master dialogue on the future it is more favourable, than  these 2 . But, probably, will push easier, and then here fast money. And malloc\printf\fopen all the same do not prevent too, as . I eat> Mighty well you threatened. At once prepare to that will not be easy. Ready decisions for certain are, but to search for them it is necessary first of all at developers malware/antimalware. Well and before to be put on any algorithm, it makes sense to familiarize with policy MS in this respect - they for a long time already and systematically tighten nuts (Kernel Patch Protection, ypervisor Code Integrity, Device Guard, etc.) To forbid "it is simple to drivers" excessively deeply to climb in system. Bypass of these mechanisms will authorize only to partners (the same developers of antiviruses), by means of specially produced certificates, and it will explicitly cost decent money. By means of a source code with  to unwinding made  NtCreateFile under WinXP x86, a bit later under Win7 x86. Under x64 this source code too had version, but any magic method of search ssdt, and on Win8 business is not went. Therefore for x64 took other source code. It appeared more thorough and accurate. Threw out superfluous, added NTCF, then and under other functions. That is couple of days ,  (such temperament, well all the same new it it is time to buy) - and I made the broken display  at me like is  under all popular Windows (except 10. Not test silt); the code was already specific understood (though yet all); still   too mastered for the first time; And that there with  which this miracle demands - me excites now a little, these are problems of the customer and the budget corresponding. At me , check of signatures disconnected at the reboot, each session terminates bsod and repeatedly even to disconnect check it is not necessary. The real problem not to deliver , namely to disassemble that flies to them. It plainly is not present in those 2 source codes.

8

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> There is fast money, and is "is long harnessed, yes quickly we go". S> The more efforts, the better result, and nothing disappears in vain. You do not find what to expect from others carefulness and deep study, to the utmost showing approaches "fast money" and "I will make, how got used, and there though a flood", a little strange? S> it is clear what to master dialogue on the future more favourably, than  these 2 . But, probably, will push easier, and then here fast money. And then something begins to change laziness for for it any more do not pay. S> and malloc\printf\fopen all the same do not prevent too, as . If it would be desirable convenient  - it makes sense to think in advance over something more reliable, like  and the typified output. S> at me like is  under all popular Windows (except 10. Not test silt) If at you not the dedicated product ground under certain OS to begin testing it is necessary from ten, and with UEFI, Secure Boot, Device Guard and all other. Otherwise, supposing a lot of time for development, risk to find out that under ten it does not work, and cannot work never. A seven share in due course will be natural to decrease, the ten share - to grow.

9

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, Evgenie Muzychenko, you wrote: I eat> you do not find what to expect from others carefulness and deep study, to the utmost showing approaches "fast money" and "I will make, how got used, and there though a flood", a little strange? From a choice between "well and"badly"I select"well". But between" though as "and"in any way"always I select" though as ". To me for it pay 30 .., the dude! And the client himself refused surcharge. And to be put I do not want. A subject not that (compare with ). Also there is already a project, not ten at once. And is cheap" - too criterion "well" so too it is necessary to be able. I eat> And then something begins to change laziness for for it any more do not pay. Then I will write further the driver, that time I will make differently. I eat> If it would be desirable convenient  - it makes sense to think in advance over something more reliable, like  and the typified output. It is better to write convenient over fopen-malloc, it everywhere goes. I eat> If at you not the dedicated product ground under certain OS, to begin testing it is necessary from ten, and with UEFI, Secure Boot, Device Guard and all other. Otherwise, supposing a lot of time for development, risk to find out that under ten it does not work, and cannot work never. A seven share in due course will be natural to decrease, the ten share - to grow. Well, as deliver , 10 64, I will check up on it. In sense directly. If will not work, I will search for source codes, I will try instead of  - filter/minifilter. While I refused them because nothing more conveniently  - the same flies "a heap of garbage", but  have more widely application. Principal difficulty not to deliver huki \filters \..., and to disassemble that flies. And rewrite under filters I can though now, though 3 days prior to a deadline.

10

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> Well as deliver , 10 64, I will check up on it. In sense directly. If will not work, I will search for source codes then not to twitch, very much I advise while to esteem docks. At least something survey, like it. S> I will try instead of  - filter/minifilter. While I refused them because nothing more conveniently  - the same flies "a heap of garbage", but  have more widely application. It is necessary if to intercept not the arbitrary functions, namely reversal to drivers of devices more correctly to make the filter, for this purpose them and invented.  in such tasks - dirty hacking, and such technicians will systematically get rid.

11

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, Evgenie Muzychenko, you wrote: Eyes transversed. I will do the minifilter. And if  on  does not earn - that and for a long time. Itself would prefer to break system, but I see, hemorrhoids not what now I presume. On winxp the minifilter will work? x86\x64 both?

12

Re: calloc/malloc, and other stdlib in the NT-driver. How?

Hello, sergey77666, you wrote: S> Itself would prefer to break system, but I see, hemorrhoids not what now I presume. If you want to make a legal product - about  it is necessary to forget systems initially. It is not so much from ethical reasons, how many from technical - times of protection of systems by means of cunning left for a long time and irrevocably, the main method - check of sign-code signatures. That is, to break the same Device Guard, you will need to begin breaking with UEFI the specific target computer. Well and to get to black lists at such approach as easy as shelling pears for the epoch of anonymous drivers too left for a long time. S> on winxp the minifilter will work? x86\x64 both? The In itself technology of filters works from the first versions NT, but in each version add something new, especially concerning file systems so look docks, I steadfastly did not understand this kitchen.

13

Re: calloc/malloc, and other stdlib in the NT-driver. How?

S> Esoi and truth is not present that I can create as required on the sly the stdlib for nt and I will be the first. The kernel has a context of execution which __ needs to be considered at a spelling  the code that do not allow to implement adequate  in which such basically is not present. Under a context of execution I mean in core IRQL, PreviousMode and next/prev object for the driver-filter. Without thinking about these pieces most likely you will write  and the code full of holes. And  at these pieces look back basically cannot, differently it already will be not . And not-libts in a kernel already is.