0

I would like to use the ObReferenceObjectByHandle routine in my assembly code in win32 format with the syntax of Intel, but when I run the executable it gives me an error. I'm using GoLink to connect the ntoskrnl.exe (DLL) to my object.

I would like to use the ObReferenceObjectByHandle routine in my assembly code in win32 format with the syntax of Intel, but when I run the executable it gives me an error. I am using GoLink to connect the ntoskrnl.exe (DLL) to my object.

Even not calling the routine the error continues to occur, I do not know what it can be:

section .text
        PontoEntrada:   CALL GetCurrentProcessId
                        MOV [HWND], EAX

                        PUSH EAX
                        PUSH 0X0000
                        PUSH PROCESS_QUERY_INFORMATION
                        CALL OpenProcess

                        PUSH NULL
                        XOR EBX, EBX
                        PUSH EBX
                        PUSH 0X0001
                        PUSH PsProcessType
                        PUSH NULL
                        PUSH EAX
                        CALL ObReferenceObjectByHandle

                        CALL CloseHandle

                        PUSH NULL
                        CALL ExitProcess

My operating system is Windows 7, with AMD E-300 APU processor.

Andreas Rejbrand
  • 105,602
  • 8
  • 282
  • 384
William Marques
  • 15
  • 1
  • You are aware that this function is only available to kernel mode drivers? – 500 - Internal Server Error Sep 19 '18 at 23:18
  • Did not know, how to explain myself? – William Marques Sep 20 '18 at 04:03
  • 1
    Do you understand the difference between [kernel mode and user mode](https://stackoverflow.com/a/1311432/2189500)? To call that function, your code must be loaded into the kernel and executed there. In Windows, that means your code must be a device driver (or you must work in the Operating Systems group at Microsoft). Writing device drivers is HARD, and usually unnecessary. Why do you think you need to call ObReferenceObjectByHandle? – David Wohlferd Sep 20 '18 at 04:44
  • I would like to study the structure of a process, such as your PCB for example. – William Marques Sep 20 '18 at 12:32

0 Answers0