a litle help in this Hook

hello To Experts.

thought i have posted this issue before too. i need to ask a quation about this
i am help less in this situation. how to do this
here is the source
i got some idea from anton bassov code form code project.

i have 4 functions
(1) Hook
(2) Unhook
(2) SetProtection/ ClearProtection
(3) NewZwCreateSection()

i did hooking with the help of this function

ClearWriteProtect(); // clear Cr0 Register
InterlockedExchange( (LONG *)ORG_SYSCALL_PTR(ZwCreateSection), (LONG) RealZwCreateSection);
SetWriteProtect(); //// restore Cr0 Register

it works
i changed the Code of that article to like this

switch (ioControlCode)
{
case IOCTL_INSTALL_HOOK:
if (!bHooked)
{
hook();
bHooked =TRUE;
}

break;
case IOCTL_UNINSTALL_HOOK:
if(bHooked)
{
unhook();
bHooked =FALSE;
}

break;
case 1000: //
buff=(UCHAR*)Irp->AssociatedIrp.SystemBuffer;
memmove(&a,&buff[4],4);
output=(char*)MmMapIoSpace(MmGetPhysicalAddress((void*)a),256,0);
break;
}

// this code works on 2k3 also.

i have not provided the Unload Routine . so that Driver remains Loaded. but i think i have to provide some way for “MmUnmapIoSpace(output,256);” if my client application closes unexpectedly. i did that at “IRP_MJ_CLOSE”. as this is bound to come if my application closes . but this raise the “PAGE_FAULT_IN_NONPAGED_AREA” exception . i debugged and found that it is crashing at this source…

while(1)
{
KeDelayExecutionThread(KernelMode,0,&li);
memmove(&a,&output[0],4); // problem is here
if(!a)break;

}

i have diagonosed it. it is because i have unmaped the address and still using it.

i tried to user probForRead() but no success

could some one tell me how could i remove it.

regards

> i got some idea from anton bassov code form code project.

What you did not get any idea about is that this is just a demo proof-of-concept code with a couple of bugs in it, as well as with some not-so-reasonable techniques( for example, polling a shared buffer). It i does not take into account a situation that the controller app may, indeed, exit without even informing a driver about it. If you want to use it as something more than a toy, you have to rewrite it completely…

In general, if you want to get some assistance in hooking, you should ask your questions in some other NG - just search the archives, and you will realize what kind of treatment you are going to get here if you ask how to hook (I would say ‘idiot’ is, apparently, the most soft term that you are going to hear)…

Anton Bassov

And perhaps ‘quesy’ is how some folks start to feel when they see how their
‘demo’ code gets hashed into some crapfest that then gets deployed in some
product that is doing nobody knows what (but we sure hope that it isn’t
terribly important.)

On Tue, Apr 29, 2008 at 10:06 AM, wrote:

> > i got some idea from anton bassov code form code project.
>
> What you did not get any idea about is that this is just a demo
> proof-of-concept code with a couple of bugs in it, as well as with some
> not-so-reasonable techniques( for example, polling a shared buffer). It i
> does not take into account a situation that the controller app may, indeed,
> exit without even informing a driver about it. If you want to use it as
> something more than a toy, you have to rewrite it completely…
>
> In general, if you want to get some assistance in hooking, you should ask
> your questions in some other NG - just search the archives, and you will
> realize what kind of treatment you are going to get here if you ask how to
> hook (I would say ‘idiot’ is, apparently, the most soft term that you are
> going to hear)…
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy

Such as your IP filter hook example which is never to be “deployed on a system that contains anything of value” ? Come on MVP get real, whatever source we release is perpetuated forever and sure subject to become tarnished over time. Respect goes for those who dare which includes you.

/Daniel

“Mark Roddy” wrote in message news:xxxxx@ntdev…
And perhaps ‘quesy’ is how some folks start to feel when they see how their ‘demo’ code gets hashed into some crapfest that then gets deployed in some product that is doing nobody knows what (but we sure hope that it isn’t terribly important.)

On Tue, Apr 29, 2008 at 10:06 AM, wrote:

> i got some idea from anton bassov code form code project.

What you did not get any idea about is that this is just a demo proof-of-concept code with a couple of bugs in it, as well as with some not-so-reasonable techniques( for example, polling a shared buffer). It i does not take into account a situation that the controller app may, indeed, exit without even informing a driver about it. If you want to use it as something more than a toy, you have to rewrite it completely…

In general, if you want to get some assistance in hooking, you should ask your questions in some other NG - just search the archives, and you will realize what kind of treatment you are going to get here if you ask how to hook (I would say ‘idiot’ is, apparently, the most soft term that you are going to hear)…

Anton Bassov


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Mark Roddy

Not respect, but maybe gratitude. It depends upon how good the sample is. Mark Russinovich stopped posting source for their file system filter, filemon, a long time ago since so many were taking it and trying to create a commercial product in violation of the license. It was not a good sample for creating commercial active legacy file system filters as it had some techniques that were unstable in a production environment.
wrote in message news:xxxxx@ntdev…
Such as your IP filter hook example which is never to be “deployed on a system that contains anything of value” ? Come on MVP get real, whatever source we release is perpetuated forever and sure subject to become tarnished over time. Respect goes for those who dare which includes you.

/Daniel

“Mark Roddy” wrote in message news:xxxxx@ntdev…
And perhaps ‘quesy’ is how some folks start to feel when they see how their ‘demo’ code gets hashed into some crapfest that then gets deployed in some product that is doing nobody knows what (but we sure hope that it isn’t terribly important.)

On Tue, Apr 29, 2008 at 10:06 AM, wrote:

> i got some idea from anton bassov code form code project.

What you did not get any idea about is that this is just a demo proof-of-concept code with a couple of bugs in it, as well as with some not-so-reasonable techniques( for example, polling a shared buffer). It i does not take into account a situation that the controller app may, indeed, exit without even informing a driver about it. If you want to use it as something more than a toy, you have to rewrite it completely…

In general, if you want to get some assistance in hooking, you should ask your questions in some other NG - just search the archives, and you will realize what kind of treatment you are going to get here if you ask how to hook (I would say ‘idiot’ is, apparently, the most soft term that you are going to hear)…

Anton Bassov


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Mark Roddy

> And perhaps ‘quesy’ is how some folks start to feel when they see how their ‘demo’ code gets hashed into > some crapfest that then gets deployed in some product that is doing nobody knows what

…but everybody knows what it does NOT, i.e.additional security checks that any product based upon this or that “non-trivial” demo has to do - instead, it gets copy-pasted AS IT IS, because the idiot who reuses your sample just cannot see any difference between a proof-of-concept demo and production-grade code. At this point you may, indeed, start feeling a bit uneasy, especially when he starts
saying in public that his “crapware” is based upon your sample…

Anton Bassov

The sample uses documented interfaces. Too bad you chose something that only
appears to have any bearing on kernel api hooking. The IpHook sample should
go away as the functionality disappeared post w2k and was not really very
useful anyway.

On Tue, Apr 29, 2008 at 2:56 PM, wrote:

> Such as your IP filter hook example which is never to be “deployed on a
> system that contains anything of value” ? Come on MVP get real, whatever
> source we release is perpetuated forever and sure subject to become
> tarnished over time. Respect goes for those who dare which includes you.
>
> /Daniel
>
>
>
> “Mark Roddy” wrote in message news:xxxxx@ntdev…
> And perhaps ‘quesy’ is how some folks start to feel when they see how
> their ‘demo’ code gets hashed into some crapfest that then gets deployed in
> some product that is doing nobody knows what (but we sure hope that it isn’t
> terribly important.)
>
>
>
> On Tue, Apr 29, 2008 at 10:06 AM, wrote:
>
> > > i got some idea from anton bassov code form code project.
> >
> > What you did not get any idea about is that this is just a demo
> > proof-of-concept code with a couple of bugs in it, as well as with some
> > not-so-reasonable techniques( for example, polling a shared buffer). It i
> > does not take into account a situation that the controller app may, indeed,
> > exit without even informing a driver about it. If you want to use it as
> > something more than a toy, you have to rewrite it completely…
> >
> > In general, if you want to get some assistance in hooking, you should
> > ask your questions in some other NG - just search the archives, and you will
> > realize what kind of treatment you are going to get here if you ask how to
> > hook (I would say ‘idiot’ is, apparently, the most soft term that you are
> > going to hear)…
> >
> > Anton Bassov
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> –
> Mark Roddy
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy

Well no, as I just noted, the interface is (or rather was) a defined
documented interface, so when it turns out to be useless for almost all
purposes (which is its major malfunction), I just agree and blame a large
software company in redmond :slight_smile:

On Tue, Apr 29, 2008 at 3:59 PM, wrote:

> > And perhaps ‘quesy’ is how some folks start to feel when they see how
> their ‘demo’ code gets hashed into > some crapfest that then gets deployed
> in some product that is doing nobody knows what
>
> …but everybody knows what it does NOT, i.e.additional security checks
> that any product based upon this or that “non-trivial” demo has to do -
> instead, it gets copy-pasted AS IT IS, because the idiot who reuses your
> sample just cannot see any difference between a proof-of-concept demo and
> production-grade code. At this point you may, indeed, start feeling a bit
> uneasy, especially when he starts
> saying in public that his “crapware” is based upon your sample…
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy

hello

a humble thanks to all of you for being so generous in pointing my mistakes. especially to Mr Anton Bassov. i will try to improve upon my concepts so that i could come up with production quality code.

With respect and regards

> i will try to improve upon my concepts so that i could come up with production quality code.

Please note that, starting from Vista, you can block process creation right from a callback, so that there is just no need to go for hooking. Taking into consideration that it is going to take quite a while before you are able to release your product so that XP may become obsolete by then, probably it makes sense to abandon hooking approach completely and to do it “properly” from a callback. What do you think???

Anton Bassov

hello Anton,

yes anton as from your earlier post . i came to know that in vista Hooking is not possible and if some how one makes it possible. then also one is going to deteriarate the performance of the system and would make it unstable.

i am lookng at PsSetCreateProcessNotifyRoutine() API . perhaps this is supportable in Vista including 64 bit. this lets you provide callback notification routine. but i still have to figure it out how to make it done with user -mode application .

secondly i also think of having mini- filter , but i do not know much about it.

regards

>… came to know that in vista Hooking is not possible

This is not the question of being impossible - it is simply not needed in context you are planning to use it in…

i am lookng at PsSetCreateProcessNotifyRoutine()

What you should look at is PsSetCreateProcessNotifyRoutineEx() - a callback gets a pointer to PS_CREATE_NOTIFY_INFO structure. If you don’t want the process to be created you can just
set CreationStatus field to some error value…

Anton Bassov

hello Anton
thanks for that tip … and the function as well . i wll try to do it

one question > i am looking into the source of Mini-filter Too. which is provided in samples.
that makes use of the “I/o Completion”. could this be done by that too? i mean by the I/o Completion port

regards

Well, if it was possible to do it in FS filter or minifilter, no one would ever consider hooking - not even on the earlier OS versions. PsSetCreateProcessNotifyRoutineEx() is your best bet here - AFAIK, this extension got introduced specifically for the purpose of blocking process creation. Therefore, don’t try to use a hammer for screws…

Anton Bassov

thanks Anton.

for two reason. first for the help. and second becouse of prompt-ness that you show in answering

great to know you !

regards