kernel-mode

问题 I've been searching for a clear difference b/w a Sensitive and Privileged instruction but its all blurry right now. As far as i know: A sensitive instruction NEEDS TO trap to kernel mode if executed in User space else it gets ignored while a Privileged instruction WILL TRAP to Kernel mode if executed in User space. This difference is vague and unsatisfactory for me. Feel free to drop an AWESOME answer! EDIT: Just a thought, are these the same thing? 回答1: The terms are usually used in the

问题 I have to implement cross view file integrity checker for my University project. For that how do I list the files of a Directory in Kernel Mode?? 回答1: Your starting point would be ZwCreateFile - which has options such as "FILE_LIST_DIRECTORY". You will then use ZwQueryDirectoryFile to get the information about the file(s) within that directory. Make SURE that you are not forgetting to ZwClose after you open something - it's not so critical in a user-mode application that closes again after it

问题 I am developing a mini-filter to intercept files and get the name of files which are dragged & dropped to a specific disk and get the file names. If I drag & drop a file, I can get this file name and intercept it successfully (That's mean this file is not created on disk). If I drag & drop multiple files, I can only get the first file name and other is not. But when I open the disk, I don't see any file here (That's mean Mini-Filter intercept them successfully). So I can not get the file

问题 When we compile a C program, it just generates some machine-understandable code. This code can directly run on the hardware, telling from this question. So my questions are: If a C program can directly run on the hardware, how can the kernel handle the resource allocation for this program? If the executable generated from the compiler is in pure machine-understandable form, then how do the privileged and non-privileged modes work? How does the kernel manage the permission of hardware

问题 I'm a bit confused about the understanding of a mode switch in Unix kernel. I give my understanding here and open it for discussion/correction. While transitioning from user mode to kernel mode, the processor makes a switch between the per-process-user-stack and the per-process-kernel-stack. Then the user-per-process stack segment selector and stack pointer is stored in the kernel stack and then the eip instruction pointer (return address at user mode) and other hardware registers are pushed

问题 I'm trying to get WinDbg debugging over the network to work, but it always loses connections after I break into the debugger (Debug->Break), and then try to start it again (Debug->Go). However, if I never break into the debugger, it looks like the connection is stable for an 'N' period of time. I can even see debug print statements in WinDbg as I use the target system during this grace period. Moreover, It seems like the connection is good while in debug break, because I can gather

问题 Is there a way to get function caller in linux kernel? I know __ func __ returns the function name which is executing. I am looking for the function which called " __ func __ " 回答1: You can get the caller with __builtin_return_address(0) . The caller's caller is __builtin_return_address(1) and so on. It's a GCC extension, documented in the gcc manual: http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html Edit: I should probably point out, that gets you the address of the caller. If you want

问题 Is there a way to get function caller in linux kernel? I know __ func __ returns the function name which is executing. I am looking for the function which called " __ func __ " 回答1: You can get the caller with __builtin_return_address(0) . The caller's caller is __builtin_return_address(1) and so on. It's a GCC extension, documented in the gcc manual: http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html Edit: I should probably point out, that gets you the address of the caller. If you want

问题 I have a minifilter (kernel-mode). I want to delete a file with specific path (\Device\HarddiskVolume1\file.txt or C:\file.txt) from kernel-mode Is there any way to do that? UPDATE: 20150130 I try to use ZwDeleteFile routine as Harry Johnston said. These are my codes: RtlInitUnicodeString(&gRedirectFullFilePath, "\\Device\\HarddiskVolume1\\test.txt"); // This file existed InitializeObjectAttributes(&ObjectAttribute, &gRedirectFullFilePath, OBJ_CASE_INSENSITIVE, NULL, NULL); status =

问题 A system call is how a program requests a service from an operating system's kernel. They can occur in user-mode and kernel-mode. What are differences? For example: Overhead System time 回答1: A system call is the way you transition between the application ("user mode") and the kernel. Syscalls are slower than normal function calls, but newer x86 chips from Intel and AMD have a special sysenter / syscall opcode to make it take just a hundred nanoseconds or so, give or take. 回答2: @Leo, Could you