WIN7 RC System Service Function Change

Original Source: http://www.debugman.com/read.php? Tid = 3051
Author: MJ0011

The following covers the changes to the Windows 7 RC kernel NT * function that has been analyzed for about two hours today, all from the disassembly of the WIN7 RC kernel, includes some changes that I think have some meanings or influences, added functions and functions, etc.

The changes and additions here refer to the changes to the WRK, that is, the WIN2003 kernel. Therefore, many changes have been made in VISTA.

(1). NtCreateFile/NtOpenFile:
The following function will change to IopCreateFile, instead of from IoCreateFile> IopCreateFile
Therefore, it is no longer feasible to hook IoCreateFile to control file opening and creation as before.
IopCreateFile also has a CALLBACK mechanism ~ Very cumbersome

However, the creation of MPs queues and email slots still follows IoCreateFile.

(2). Nt * Key

Nt * Key (except Create/Open) for KeyHandle reference to CmObReferenceObjectByHandle, and perform some verification on KeyObject

This may result in the effectiveness of some search methods ~

(3). NtFreezeRegistry/NtThawRegistry
To freeze and unfreeze the registry, you can perform some cumbersome XX operations on VISTA.

(4). NtMakePermanentObject
Creating permanent objects is also supported by VISTA.

(5). NtNotifyChangeSession
Useful stuff

(6). NtQueryInformationProcess/NtSetInformationProcess:

New InformationClass:

ProcessTotalCycleTime: 38
Processdefapagpagepriority 39
ID 40 is not used
I did not know what it was after reading ID 41 for a long time...
ProcessWorkingSetWatch 42
ProcessImageFileDosDeviceName: 43
Take the full-path DOS name for the process, which is very considerate ~
ProcessIsSameFileProcess 44
Check whether the specified FileHandle is the same file as the specified process.
ProcesssAffinityUpdateModeEnable 45
ProcessVmTopDown 46
ProcessActiveGroupsMask 47
Processreceivalizationtoken 48 (SET only)

// Virtualized TOKEN ~

ProcessConsoleHostProcess 49
ProcessCopyProcessHeap 50
Very powerful ~
(7). NtQueryInformationThread

New InformationClass:

ThreadLastCall 21

ThreadThreadIoPriority 22
// The legendary IO priority ~

ThreadTotalCycleTime 23

ThreadPagePriority 24

ThreadFullTeb 26
// Obtain the entire TEB

ThreadAffinty 30

ThreadProfing 32

ThreadIdealProcessor 33

(8). NtQueryInformationToken:

New InformationClass

TokenLogonSessionFlags 18
TokenGetLogonSessionToken 19
TokenXxxTokenSid 20 (I don't know what it is)
TokenXxxTokenFlags 21 (tokenflags & 0x810, I don't know what it is)
TokenAccess 22
TokenTokenFlagsPos9 23
TokenTokenFlagsPos10 24
TokenGetTokenIntergrity 25

// ADMIN integrity ..

TokenTokenFlagsPos12 26

TokenMandatoryPolicy 27

(9). NtQuerySystemInformation/NtQuerySystemInformationEx/NtSetSystemInformation

SystemBasePriorityInformation 82 (need increasebasepriority privilege)
SystemRefTraceInformation 86
SystemSpecialPoolInformation 87
SystemProcessesWithFullImageNameInformation 88

This is so powerful...

SystemRegisterErrorPort (only set, need tcb privilege)

SystemBootEnvironmentInformation 90

Get BootIdentifier GUID (_ LOADER_PARAMETER_BLOCK-> LOADER_PARAMETER_EXTENSION-> BootIdentifier (GUID ))
From now on, you can easily locate BCD ~

SystemEnlightenmentInformation 91
SystemVerifierInformtionEx 92
SystemCovInformation 95
SystemPartitionDeviceNameInformation 98
SystemDiskDeviceNameInformation 99
SystemPerformanceDistributionInforamtion 100
SystemNumaProximityNodeInformation 101
SystemTimeZoneInformation 102
SystemCodeIntegrityInformation 103
SystemProcessorMircoCodeUpdateInformation 104 (only set)
SystemtProcessorBrandStringInformation 105
SystemSystemVaInformation 106
SystemLogicalProcessorRelationshipInformation 107
SystemStoreInformation 109
SystemRegistryAppendStringInformation 110 (only set)
SystemAitSamplingInformation 111 (only set)
SystemVhdBootInformation 112
SystemCpuQuotaInformation 113
SystemLowPriorityIoInformation 116
SystemTpmBootEntropyInformation 117 (only in kernel mode)
SystemVerifierInformation 118
SystemAdjustPagedPoolWorkingSetSizeInformation 119 (only set)
SystemAdjustSystemPtesWorkingSetSizeInformation 120 (only set)
SystemNumaNodesInformation 121
SystempAuditQueryResultsInformation 122
SystemCommitInformation 123 (total commit pages/Total Commit limt/Peak Commitment)

(10). NtQueueApcThreadEx
Powerful ~

Currently, NtQueueApcThread directly calls NtQueueApcThreadEx

Cross HIPS ~

(11). NtSystemDebugControl

Reference: http://hi.baidu.com/mj0011/blog/item/b3ee910a05811636b1351db5.html