Prev: How to dump system service dispatch table?
Next: Find interactive user name / token (again) problems
From: Nicol�s Genen on 23 Apr 2008 01:09 I have tried do it by "simple" ways, but when I need link my driver with ntdll.lib it doesn't load anymore. I need find a simple or complex way to do it. Thanks in advance! Nicol�s
From: doskey on 23 Apr 2008 03:05 On 4ÔÂ23ÈÕ, ÏÂÎç1ʱ09·Ö, "Nicol¨¢s Genen" <nge....(a)gmail.com> wrote: > I have tried do it by "simple" ways, but when I need link my driver with > ntdll.lib it doesn't load anymore. I need find a simple or complex way to do > it. > > Thanks in advance! > > Nicol¨¢s What's your "simple" ways? My way is SSDT hooking. But this way cannot run in x64 system such as WinXP 64 and Vista 64. 1. Get ID of these functions from export functions of ntdll.dll . These ID is index of SSDT service function array. 2. Import KeServiceDescriptorTable in your driver. 3. Get service functions form SSDT by ID. 4. Save address of the service funcion. 5. Copy your address of hook routine to SSDT by ID Then you must call org service function in your hook routine, or return a fail to user mode. Enjoy. ;^)
From: Don Burn on 23 Apr 2008 08:38 Of course be aware, of the following: 1. Using hooking will label your software MALWARE 2. As stated below it will not work on x64 systems, and hopefilly in the future on x86 systems 3. The approack below means your driver can never be unloaded since it is likely to crash the world. 4. If someone elxe is doing hooking, the approach below can mean your driver might see ZwReadVirtualMemory before the other driver which might get all the ZwWriteVirtualMemory calls first. Finally, what are you trying to do that requires this? If you are trying to control the calls at the level of process A cannot access process B there are legitimate though harder to code ways to do this. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "doskey" <doskey.lee(a)gmail.com> wrote in message news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com... On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote: > I have tried do it by "simple" ways, but when I need link my driver with > ntdll.lib it doesn't load anymore. I need find a simple or complex way to > do > it. > > Thanks in advance! > > Nicol��s What's your "simple" ways? My way is SSDT hooking. But this way cannot run in x64 system such as WinXP 64 and Vista 64. 1. Get ID of these functions from export functions of ntdll.dll . These ID is index of SSDT service function array. 2. Import KeServiceDescriptorTable in your driver. 3. Get service functions form SSDT by ID. 4. Save address of the service funcion. 5. Copy your address of hook routine to SSDT by ID Then you must call org service function in your hook routine, or return a fail to user mode. Enjoy. ;^)
From: Nicol�s Genen on 23 Apr 2008 10:07 To Don Burn: That is exactly what I'm trying to do ^^ To Doskey: I'm using the following macros #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) #define HOOK(functionName, newPointer2Function, oldPointer2Function ) \ oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) #define UNHOOK(functionName, oldPointer2Function) \ InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) Thanks 4 everything! "Don Burn" <burn(a)stopspam.windrvr.com> escribi� en el mensaje news:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl... > Of course be aware, of the following: > > 1. Using hooking will label your software MALWARE > 2. As stated below it will not work on x64 systems, and hopefilly in the > future on x86 systems > 3. The approack below means your driver can never be unloaded since it is > likely to crash the world. > 4. If someone elxe is doing hooking, the approach below can mean your > driver might see ZwReadVirtualMemory before the other driver which might > get all the ZwWriteVirtualMemory calls first. > > Finally, what are you trying to do that requires this? If you are trying > to control the calls at the level of process A cannot access process B > there are legitimate though harder to code ways to do this. > > > -- > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > "doskey" <doskey.lee(a)gmail.com> wrote in message > news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com... > On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote: >> I have tried do it by "simple" ways, but when I need link my driver with >> ntdll.lib it doesn't load anymore. I need find a simple or complex way to >> do >> it. >> >> Thanks in advance! >> >> Nicol��s > > What's your "simple" ways? > My way is SSDT hooking. But this way cannot run in x64 system such as > WinXP 64 and Vista 64. > > 1. Get ID of these functions from export functions of ntdll.dll . > These ID is index of SSDT service function array. > 2. Import KeServiceDescriptorTable in your driver. > 3. Get service functions form SSDT by ID. > 4. Save address of the service funcion. > 5. Copy your address of hook routine to SSDT by ID > Then you must call org service function in your hook routine, or > return a fail to user mode. > Enjoy. ;^) >
From: Don Burn on 23 Apr 2008 10:13 Then do not hook, write a file system filter instead. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "Nicol�s Genen" <ngenen(a)gmail.com> wrote in message news:%23VyNutUpIHA.2188(a)TK2MSFTNGP04.phx.gbl... > To Don Burn: > > That is exactly what I'm trying to do ^^ > > To Doskey: > > I'm using the following macros > > #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) > > #define HOOK(functionName, newPointer2Function, oldPointer2Function ) > \ > oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) > &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) > > #define UNHOOK(functionName, oldPointer2Function) \ > InterlockedExchange( (PLONG) > &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) > > > Thanks 4 everything! > > "Don Burn" <burn(a)stopspam.windrvr.com> escribi� en el mensaje > news:u0mpr7TpIHA.2188(a)TK2MSFTNGP04.phx.gbl... >> Of course be aware, of the following: >> >> 1. Using hooking will label your software MALWARE >> 2. As stated below it will not work on x64 systems, and hopefilly in the >> future on x86 systems >> 3. The approack below means your driver can never be unloaded since it >> is likely to crash the world. >> 4. If someone elxe is doing hooking, the approach below can mean your >> driver might see ZwReadVirtualMemory before the other driver which might >> get all the ZwWriteVirtualMemory calls first. >> >> Finally, what are you trying to do that requires this? If you are trying >> to control the calls at the level of process A cannot access process B >> there are legitimate though harder to code ways to do this. >> >> >> -- >> Don Burn (MVP, Windows DDK) >> Windows 2k/XP/2k3 Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> Remove StopSpam to reply >> >> >> "doskey" <doskey.lee(a)gmail.com> wrote in message >> news:a6f49ed4-2261-45a9-aafd-0f6278d8cb22(a)a22g2000hsc.googlegroups.com... >> On 4��23��, ����1ʱ09��, "Nicol��s Genen" <nge...(a)gmail.com> wrote: >>> I have tried do it by "simple" ways, but when I need link my driver with >>> ntdll.lib it doesn't load anymore. I need find a simple or complex way >>> to do >>> it. >>> >>> Thanks in advance! >>> >>> Nicol��s >> >> What's your "simple" ways? >> My way is SSDT hooking. But this way cannot run in x64 system such as >> WinXP 64 and Vista 64. >> >> 1. Get ID of these functions from export functions of ntdll.dll . >> These ID is index of SSDT service function array. >> 2. Import KeServiceDescriptorTable in your driver. >> 3. Get service functions form SSDT by ID. >> 4. Save address of the service funcion. >> 5. Copy your address of hook routine to SSDT by ID >> Then you must call org service function in your hook routine, or >> return a fail to user mode. >> Enjoy. ;^) >> > >
|
Next
|
Last
Pages: 1 2 Prev: How to dump system service dispatch table? Next: Find interactive user name / token (again) problems |