I have tried to analyse some windows internal function they appear at http://www.xfocus.net/articles/200412/762.html.

But some functions didn't resolve like PspCreateProcess ...etc..after I applied .pdb symbols downloaded from Microsoft symbol server.

Any idea could help?

Thanks for advance

unfortunely your link is 404 here.

Have catch some text on google maybe that will help you:


Physical process creation is done in PspCreateProcess
which is called by two other routines only,
NtCreateProcess and PsCreateSystemProcess.

Physical thread creation is done in PspCreateThread
which is called by two other routines only,
NtCreateThread and PsCreateSystemThread.

Both PspCreateProcess and PspCreateThread calls
registered callbacks (by PsSetCreateProcessNotifyRoutine and
PsSetCreateThreadNotifyRoutine) with the third argument = TRUE.


and

http://undocumented.ntinternals.net/Ker ... ocess.html (http://undocumented.ntinternals.net/KernelMode/Undokumented%20Functions/Processes%20And%20Threads/PsCreateSystemProcess.html)

I think you have to link to the ntoskrnl.lib instead of to play with the .pdb file.

Thank for your reply. usefull for me.
the correct is http://www.xfocus.net/articles/200412/762.html (sorry)

Just a ask
the Quote content where I can get if I like lookup other not exported function?! I didn't think DDK will documented it.

(Search on net and ask others seem only way ...)

btw. what's thing on 7FFE0330h (I din't install xp sp2 )? RtlDecodeSystemPointer seem weak than RtlEncodePointer

.text:7C91AFC8 mov edi, edi ; RtlDecodeSystemPointer
.text:7C91AFCA push ebp
.text:7C91AFCB mov ebp, esp
.text:7C91AFCD mov eax, ds:7FFE0330h
.text:7C91AFD2 xor eax, [ebp+arg_4]
.text:7C91AFD5 pop ebp
.text:7C91AFD6 retn 4