symbols downloaded didn't resolve all function?! - HeapOverflow Computer Security Community & Forums : Heap Overflow.com

HeapOverflow Computer Security Community & Forums : Heap Overflow.com

		HeapOverflow Computer Security Community & Forums : Heap Overflow.com > Central: General Talks > General Discussions
symbols downloaded didn't resolve all function?!

Mark Forums Read

Notices

Welcome to you visitor! This community is mainly dedicated to the computer and security, if you're looking for DFind scanner or others exploits codes you will find them into the Projects section, feel free to start Blogging and remember to always keep an eye and start talking about security Advisories & public Exploits.

General Discussions Discuss anything that does not correspond to any forum section

symbols downloaded didn't resolve all function?!

This is a discussion on "symbols downloaded didn't resolve all function?!" within the General Discussions part of the Central: General Talks section; I have tried to analyse some windows internal function they appear at http://www.xfocus.net/articles/200412/762.html. But some functions didn't resolve like PspCreateProcess ...etc..after I applied .pdb symbols downloaded from Microsoft symbol server. Any ...

Reply

#1 (permalink)

Old

02-08-05

w4terlime is offline

Junior Member

Join Date: Jul 2005

Posts: 11

Thanks: 0

Thanked 0 Times in 0 Posts

Rep Power: 7

w4terlime is on a distinguished road

Default

symbols downloaded didn't resolve all function?!

I have tried to analyse some windows internal function they appear at http://www.xfocus.net/articles/200412/762.html.

But some functions didn't resolve like PspCreateProcess ...etc..after I applied .pdb symbols downloaded from Microsoft symbol server.

Any idea could help?

Thanks for advance

Reply With Quote

Sponsor

Advertiser

#2 (permalink)

Old

02-08-05

class101 is offline

Administrator

Join Date: May 2005

Location: France

Age: 27

Posts: 592

Blog Entries: 3

Thanks: 18

Thanked 7 Times in 7 Posts

Rep Power: 10

class101 has disabled reputation

Send a message via MSN to class101

Default

unfortunely your link is 404 here.

Have catch some text on google maybe that will help you:

Quote:

Physical process creation is done in PspCreateProcess
which is called by two other routines only,
NtCreateProcess and PsCreateSystemProcess.

Physical thread creation is done in PspCreateThread
which is called by two other routines only,
NtCreateThread and PsCreateSystemThread.

Both PspCreateProcess and PspCreateThread calls
registered callbacks (by PsSetCreateProcessNotifyRoutine and
PsSetCreateThreadNotifyRoutine) with the third argument = TRUE.

and

http://undocumented.ntinternals.net/Ker ... ocess.html

I think you have to link to the ntoskrnl.lib instead of to play with the .pdb file.

__________________
Security community webmaster
100% Free Directory
100% Cool milw0rm javascript

Reply With Quote

#3 (permalink)

Old

02-08-05

w4terlime is offline

Junior Member

Join Date: Jul 2005

Posts: 11

Thanks: 0

Thanked 0 Times in 0 Posts

Rep Power: 7

w4terlime is on a distinguished road

Default

Thank for your reply. usefull for me.
the correct is http://www.xfocus.net/articles/200412/762.html (sorry)

Just a ask
the Quote content where I can get if I like lookup other not exported function?! I didn't think DDK will documented it.

(Search on net and ask others seem only way ...)

btw. what's thing on 7FFE0330h (I din't install xp sp2 )? RtlDecodeSystemPointer seem weak than RtlEncodePointer

.text:7C91AFC8 mov edi, edi ; RtlDecodeSystemPointer
.text:7C91AFCA push ebp
.text:7C91AFCB mov ebp, esp
.text:7C91AFCD mov eax, ds:7FFE0330h
.text:7C91AFD2 xor eax, [ebp+arg_4]
.text:7C91AFD5 pop ebp
.text:7C91AFD6 retn 4

Reply With Quote

Sponsor

Advertiser

Reply

Tags
didnt, downloaded, function, resolve, symbols

« Link me to ... | [req] defeating compiler level buffer overflow protection »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

heapoverflow.com - SEOmeter SEO tools

Locations of visitors to this page

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47