-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le Friday 07 November 2003 19:46, Lionel Ulmer a écrit :
On Fri, Nov 07, 2003 at 10:32:02AM +0000, Mike Hearn wrote:
Lionel, could QEMU be used here? I guess the driver expects to have kernel level access to the machine, so we could either:
Well, as I have no idea how .SYS loading working and how it interfaces with the kernel, I cannot comment here.
Note that a low level kernel presentation by ReactOS people would be a nice thing to have at Wineconf :-)
Lionel
it is simple, only a PE module who work on kernel mode using os APIs:
- -=(FeniX as fenix@DarkBluE)-(on tty2)-(at 13:39:31)=- -={$:'~'}=->winedump dump -j import /mnt/win_c2/windows/system32/drivers/ secdrv.sys Contents of "/mnt/win_c2/windows/system32/drivers/secdrv.sys": 27440 bytes
Import Table size: 40 offset 25404 ntoskrnl.exe Hint/Name Table: 00006364 TimeDataStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 00000260 (delta: 4294967295 0xffffffff) Ordn Name 252 IoDeleteSymbolicLink 644a 251 IoDeleteDevice 63b4 247 IoCreateSymbolicLink 63c6 243 IoCreateDevice 63de 720 RtlInitUnicodeString 63f0 687 RtlEqualUnicodeString 6408 519 NtBuildNumber 6420 760 RtlQueryRegistryValues 6430 599 PsGetVersion 63a4 434 KeTickCount 6462 479 MmIsAddressValid 6470 792 RtlUnwind 6492 54 ExAllocatePoolWithTag 649e 66 ExFreePool 64b6 325 IofCompleteRequest 64c4
Done dumping /mnt/win_c2/windows/system32/drivers/secdrv.sys
The problem is how emulate windows kernel internal behavior (ie assembly tips as NtCurrentTeb)
Best Regards, Raphael