This is the second part of the WRK series. For your convenience you can find other parts in the table of contents in Part 1 — Compiling and debugging
In this part we are going to monitor the invocation of QuerySystemInformation
system function by using the debugger.
First, make sure that you can debug the kernel. Next, open file base\ntos\ex\sysinfo.c
. You can see that the function starts in line 1390. We will add a static variable to count the invocations, so go to the line 1721 and add the following:
1 |
static int NumTimesCalled = 0 |
Next, just before Status = STATUS_SUCCESS;
in line 1728 add this:
1 |
DbgPrint("WRK %d: Entering NTQuerySystemInformation\n", ++NumTimesCalled); |
Recompile the kernel, add new boot option to the boot.ini, restart the OS, attach the debugger and you should see:
1 2 |
WRK 1: Entering NTQuerySystemInformation WRK 2: Entering NTQuerySystemInformation |
This is just a sample of what you can do with the code. Next time, we are going to implement the syscall.