From: Nicol�s Genen on
I have tried do it by "simple" ways, but when I need link my driver with
ntdll.lib it doesn't load anymore. I need find a simple or complex way to do
it.

Thanks in advance!

Nicol�s


From: doskey on
On 4ÔÂ23ÈÕ, ÏÂÎç1ʱ09·Ö, "Nicol¨¢s Genen" <nge....(a)gmail.com> wrote:
> I have tried do it by "simple" ways, but when I need link my driver with
> ntdll.lib it doesn't load anymore. I need find a simple or complex way to do
> it.
>
> Thanks in advance!
>
> Nicol¨¢s

What's your "simple" ways?
My way is SSDT hooking. But this way cannot run in x64 system such as
WinXP 64 and Vista 64.

1. Get ID of these functions from export functions of ntdll.dll .
These ID is index of SSDT service function array.
2. Import KeServiceDescriptorTable in your driver.
3. Get service functions form SSDT by ID.
4. Save address of the service funcion.
5. Copy your address of hook routine to SSDT by ID
Then you must call org service function in your hook routine, or
return a fail to user mode.
Enjoy. ;^)
From: Don Burn on
Of course be aware, of the following:

1. Using hooking will label your software MALWARE
2. As stated below it will not work on x64 systems, and hopefilly in the
future on x86 systems
3. The approack below means your driver can never be unloaded since it is
likely to crash the world.
4. If someone elxe is doing hooking, the approach below can mean your
driver might see ZwReadVirtualMemory before the other driver which might get
all the ZwWriteVirtualMemory calls first.

Finally, what are you trying to do that requires this? If you are trying to
control the calls at the level of process A cannot access process B there
are legitimate though harder to code ways to do this.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"doskey" <doskey.lee(a)gmail.com> wrote in message
news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com...
On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote:
> I have tried do it by "simple" ways, but when I need link my driver with
> ntdll.lib it doesn't load anymore. I need find a simple or complex way to
> do
> it.
>
> Thanks in advance!
>
> Nicol��s

What's your "simple" ways?
My way is SSDT hooking. But this way cannot run in x64 system such as
WinXP 64 and Vista 64.

1. Get ID of these functions from export functions of ntdll.dll .
These ID is index of SSDT service function array.
2. Import KeServiceDescriptorTable in your driver.
3. Get service functions form SSDT by ID.
4. Save address of the service funcion.
5. Copy your address of hook routine to SSDT by ID
Then you must call org service function in your hook routine, or
return a fail to user mode.
Enjoy. ;^)


From: Nicol�s Genen on
To Don Burn:

That is exactly what I'm trying to do ^^

To Doskey:

I'm using the following macros

#define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1)

#define HOOK(functionName, newPointer2Function, oldPointer2Function ) \
oldPointer2Function = (PVOID) InterlockedExchange( (PLONG)
&NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function)

#define UNHOOK(functionName, oldPointer2Function) \
InterlockedExchange( (PLONG)
&NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function)


Thanks 4 everything!

"Don Burn" <burn(a)stopspam.windrvr.com> escribi� en el mensaje
news:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl...
> Of course be aware, of the following:
>
> 1. Using hooking will label your software MALWARE
> 2. As stated below it will not work on x64 systems, and hopefilly in the
> future on x86 systems
> 3. The approack below means your driver can never be unloaded since it is
> likely to crash the world.
> 4. If someone elxe is doing hooking, the approach below can mean your
> driver might see ZwReadVirtualMemory before the other driver which might
> get all the ZwWriteVirtualMemory calls first.
>
> Finally, what are you trying to do that requires this? If you are trying
> to control the calls at the level of process A cannot access process B
> there are legitimate though harder to code ways to do this.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
> "doskey" <doskey.lee(a)gmail.com> wrote in message
> news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com...
> On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote:
>> I have tried do it by "simple" ways, but when I need link my driver with
>> ntdll.lib it doesn't load anymore. I need find a simple or complex way to
>> do
>> it.
>>
>> Thanks in advance!
>>
>> Nicol��s
>
> What's your "simple" ways?
> My way is SSDT hooking. But this way cannot run in x64 system such as
> WinXP 64 and Vista 64.
>
> 1. Get ID of these functions from export functions of ntdll.dll .
> These ID is index of SSDT service function array.
> 2. Import KeServiceDescriptorTable in your driver.
> 3. Get service functions form SSDT by ID.
> 4. Save address of the service funcion.
> 5. Copy your address of hook routine to SSDT by ID
> Then you must call org service function in your hook routine, or
> return a fail to user mode.
> Enjoy. ;^)
>


From: Don Burn on
Then do not hook, write a file system filter instead.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply



"Nicol�s Genen" <ngenen(a)gmail.com> wrote in message
news:%23VyNutUpIHA.2188(a)TK2MSFTNGP04.phx.gbl...
> To Don Burn:
>
> That is exactly what I'm trying to do ^^
>
> To Doskey:
>
> I'm using the following macros
>
> #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1)
>
> #define HOOK(functionName, newPointer2Function, oldPointer2Function )
> \
> oldPointer2Function = (PVOID) InterlockedExchange( (PLONG)
> &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function)
>
> #define UNHOOK(functionName, oldPointer2Function) \
> InterlockedExchange( (PLONG)
> &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function)
>
>
> Thanks 4 everything!
>
> "Don Burn" <burn(a)stopspam.windrvr.com> escribi� en el mensaje
> news:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl...
>> Of course be aware, of the following:
>>
>> 1. Using hooking will label your software MALWARE
>> 2. As stated below it will not work on x64 systems, and hopefilly in the
>> future on x86 systems
>> 3. The approack below means your driver can never be unloaded since it
>> is likely to crash the world.
>> 4. If someone elxe is doing hooking, the approach below can mean your
>> driver might see ZwReadVirtualMemory before the other driver which might
>> get all the ZwWriteVirtualMemory calls first.
>>
>> Finally, what are you trying to do that requires this? If you are trying
>> to control the calls at the level of process A cannot access process B
>> there are legitimate though harder to code ways to do this.
>>
>>
>> --
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>>
>> "doskey" <doskey.lee(a)gmail.com> wrote in message
>> news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com...
>> On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote:
>>> I have tried do it by "simple" ways, but when I need link my driver with
>>> ntdll.lib it doesn't load anymore. I need find a simple or complex way
>>> to do
>>> it.
>>>
>>> Thanks in advance!
>>>
>>> Nicol��s
>>
>> What's your "simple" ways?
>> My way is SSDT hooking. But this way cannot run in x64 system such as
>> WinXP 64 and Vista 64.
>>
>> 1. Get ID of these functions from export functions of ntdll.dll .
>> These ID is index of SSDT service function array.
>> 2. Import KeServiceDescriptorTable in your driver.
>> 3. Get service functions form SSDT by ID.
>> 4. Save address of the service funcion.
>> 5. Copy your address of hook routine to SSDT by ID
>> Then you must call org service function in your hook routine, or
>> return a fail to user mode.
>> Enjoy. ;^)
>>
>
>