Hi All,
I'm somewhat hesitant to post in here because most people only respond with
questions that are already answered in the posting. Or they tell me "well
give us more info." So here's all the info that's needed. SOMEBODY has to
know this....
I'm trying to hook (globally - system-wide) all the file access functions in
kernel32.dll. No, I'm not creating spyware - this is for a client in Italy
who needs specific file logging; the .DLL I created relies on the host app
passing a list of file specs to filter. Any-who ... I have a driver I'm
using to set the hook. Problem: ALL, yes ALL, of the documentation currently
on the web on how to do this is outdated and stopped working with XP. Every
one of 16,248 articles on the web says "CR3 holds the base address of the
page directory table." No, it doesn't. Not in any way a driver can use it.
I've tried MmMapIoSpace to map the physical address (CR3 & FFFFF000) to a
virtual address. This points to a table, but every other dword is 0 or close
to 0 - it's NOT a page directory table; these do not have 64 bit entries.
Not on a Pentium 4 with 32 bit addressing. I use the widely documented
claims of "C30000000" hesitantly because they're unreliable. I read the
registry key giveing C3000 as a directory base. I pass this to the driver
from the user app ... but then it's hit-or-miss, that page certainly seems to
be the page directory table, but a) I don't know how far I can rely on that
address in the future, and b) half the time THAT is paged out. When that
happens is completely random. I load CR3, disable caching, and reload CR3.
Half the time that triggers a page directory table load, half the time not.
If I call MmProbeAndLockPages when the directory is already loaded, it double
faults claiming "you have to probe before you read this memory." Typical
stuff to come out of a team environment. That call double faults the system
if the page is already loaded. There is no present bit in CR3 so I can't
tell if the directory is loaded. CR3 holds a base of 07100xxx which does
nothing for me. I used MmMapIoSpace to convert that physical address to
virtual. That gives me the pointer to the every-other-dword-is-zero (or
close) table. I have loaded the GDT and looped through its descriptors,
looking for any entry where 07100xxx can map into its range. Nothing exists.
I'm out of options. Completely, totally out of options. Everything has
failed. I am missing something because Windows is making this work and I'm
not. I'm doing something very wrong or missing something I need to be doing.
Can ANYBODY help?????
