سلام

اینا تابع های سطح user هستن

چی جوری اینا تو سطح کرنل استفاده می شن /شدن




PVOID AllocateInfoBuffer(
IN SYSTEM_INFORMATION_CLASS ATableType
)
{
ULONG mSize = 0x8000;
PVOID mPtr;
NTSTATUS status;
do
{
mPtr = ExAllocatePool(PagedPool, mSize);
if (!mPtr) return NULL;

memset(mPtr, 0, mSize);
status = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL);

if (status == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(mPtr);
mSize = mSize * 2;
}

} while (status == STATUS_INFO_LENGTH_MISMATCH);

if (NT_SUCCESS(status)) return mPtr;

ExFreePool(mPtr);
return NULL;
}

جدی باش!


dumpbin /EXPORTS ntoskrnl.exe | find "ZwQuerySystemInformation"

این تابع در NTDLL.DLL هم موجود هستش
من فکر کردم نویسنده کد منظورش انه از وجود سطح کرنلش مطلع نبودم (شک کردم یه تابع با یه اسم هم سطح کرنل داشته باشه هم سطح کاربر)




The ZwQuerySystemInformation function and the structures that it returns are internal to the operating system and subject to change from one release of Windows to another. To maintain the compatibility of your application, it is better to use the alternate functions previously mentioned instead.
If you do use ZwQuerySystemInformation, access the function through run-time dynamic linking. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable.
This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll.
Requirements

DLL
Requires Ntdll.dll.




لینک زیر توضیح جالبی در مورد 4 حالت برای توابع ZW, NT در یوزر مود و کرنل مود رو بیان می کنه و فرق 4 حالت رو بررسی می کنه



User Mode application calls NtQuerySystemInformation

User Mode application calls ZwQuerySystemInformation

Kernel Mode driver calls NtQuerySystemInformation

Kernel Mode driver calls ZwQuerySystemInformation




http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=257