Hello all.
I need to implement a fast hook for some I/O system service calls, like ZwCreateFile, ZwWriteFile, . . . .
I don’t have the time to write a FS Filter Driver, my app really needs to come out pretty fast.
I thought of using the KeServiceDescriptorTable hook method.
I’ve read some posts on OSR and no one really recommended this method. I believe that if I stick to some really simple things in the hooks, and only hook few functions, the driver will work fine.
I guess, the thread below answers the query about why it shouldn’t be done.
It enumerates the risks of such methods.
http://www.osronline.com/showthread.cfm?link=93915
On Sat, Jul 19, 2008 at 3:20 PM, wrote:
> Hello all.
> I need to implement a fast hook for some I/O system service calls, like
> ZwCreateFile, ZwWriteFile, . . . .
> I don’t have the time to write a FS Filter Driver, my app really needs to
> come out pretty fast.
>
> I thought of using the KeServiceDescriptorTable hook method.
>
> I’ve read some posts on OSR and no one really recommended this method. I
> believe that if I stick to some really simple things in the hooks, and only
> hook few functions, the driver will work fine.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Thanks & Regards
Pushkar Prasad | Email: xxxxx@eccellente-it.com | URL:
http://www.eccellente-it.com |
“A positive attitude may not solve all your problems, but it will annoy
enough people to make it worth the effort.” -Herm Albright
> I don’t have the time to write a FS Filter Driver,
…
I thought of using the KeServiceDescriptorTable hook method.
Well, you don’t seem to have enough time to read this NG either - otherwise, you would have tried some other NG (for example, rootkit.com), because it would be obvious to you that * in this particular NG* you will get ostracized and hear quite a few unpleasant things about yourself . What a busy man you are…
Anton Bassov
Ok so that is just about the worst request for help building malware I have
ever seen. No it won’t be fine. Good luck.
On Sat, Jul 19, 2008 at 5:50 AM, wrote:
> Hello all.
> I need to implement a fast hook for some I/O system service calls, like
> ZwCreateFile, ZwWriteFile, . . . .
> I don’t have the time to write a FS Filter Driver, my app really needs to
> come out pretty fast.
>
> I thought of using the KeServiceDescriptorTable hook method.
>
> I’ve read some posts on OSR and no one really recommended this method. I
> believe that if I stick to some really simple things in the hooks, and only
> hook few functions, the driver will work fine.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Mark Roddy
Not enough time? That is a really sad tale. At least you have faith.
mm
Mark Roddy wrote:
Ok so that is just about the worst request for help building malware I
have ever seen. No it won’t be fine. Good luck.On Sat, Jul 19, 2008 at 5:50 AM, > mailto:xxxxx> wrote:
>
> Hello all.
> I need to implement a fast hook for some I/O system service calls,
> like ZwCreateFile, ZwWriteFile, . . . .
> I don’t have the time to write a FS Filter Driver, my app really
> needs to come out pretty fast.
>
> I thought of using the KeServiceDescriptorTable hook method.
>
> I’ve read some posts on OSR and no one really recommended this
> method. I believe that if I stick to some really simple things in
> the hooks, and only hook few functions, the driver will work fine.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> –
> Mark Roddy</mailto:xxxxx>
> Not enough time? That is a really sad tale. At least you have faith.
IIIRC, not so long ago the OP said that “he has no time to read MSDN” - he said it in response to my observation that after a YEAR of asking questions in the NG he was still questioning the fact that you cannot wait at elevated IRQL…
Anton Bassov
Apparently, he has faith about that as well, and plans to just keep waiting at an elevated IRQL, because any day know, it’s going to
work.
Cheers,
mm
xxxxx@hotmail.com wrote:
> Not enough time? That is a really sad tale. At least you have faith.
IIIRC, not so long ago the OP said that “he has no time to read MSDN” - he said it in response to my observation that after a YEAR of asking questions in the NG he was still questioning the
fact that you cannot wait at elevated IRQL…
Anton Bassov
> Apparently, he has faith about that as well,
Faith can produce miracles. IIRC, yet another poster was looking for a way to handle interrupts in the user mode, and he was doing it FOR SIX MONTHS!!! Can you imagine how much faith he had…
Anton Bassov
At least six months.
People aren’t always going to agree of course, and there is also a some less than good advice that gets offered here sometimes, but,
with very rare exceptions, for any given thread, the advice over the course of say a couple days is excellent, and I just don’t
understand why they keep coming back if they don’t agree, other than of course that what they are doing doesn’t work.
Cheers,
mm
xxxxx@hotmail.com wrote:
> Apparently, he has faith about that as well,
Faith can produce miracles. IIRC, yet another poster was looking for a way to handle interrupts in the user mode, and he was doing it FOR SIX MONTHS!!! Can you imagine how much faith he had…
Anton Bassov
Maybe they have a PHB?
Maybe they told their boss they could do it that way and they have no option
to keep working on it or they will get fired. They will get fired sooner or
later, but keeping the paychecks coming in while looking for another job is
important.
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> At least six months.
>
> People aren’t always going to agree of course, and there is also a some
> less than good advice that gets offered here sometimes, but, with very
> rare exceptions, for any given thread, the advice over the course of say a
> couple days is excellent, and I just don’t understand why they keep coming
> back if they don’t agree, other than of course that what they are doing
> doesn’t work.
>
> Cheers,
>
> mm
> xxxxx@hotmail.com wrote:
>>> Apparently, he has faith about that as well,
>>
>> Faith can produce miracles. IIRC, yet another poster was looking for a
>> way to handle interrupts in the user mode, and he was doing it FOR SIX
>> MONTHS!!! Can you imagine how much faith he had…
>>
>> Anton Bassov
>
Sad, but quite true. That does indeed happen not at all uncommonly.
Cheers,
mm
David Craig wrote:
Maybe they have a PHB?
Maybe they told their boss they could do it that way and they have no option
to keep working on it or they will get fired. They will get fired sooner or
later, but keeping the paychecks coming in while looking for another job is
important.“Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
>> At least six months.
>>
>> People aren’t always going to agree of course, and there is also a some
>> less than good advice that gets offered here sometimes, but, with very
>> rare exceptions, for any given thread, the advice over the course of say a
>> couple days is excellent, and I just don’t understand why they keep coming
>> back if they don’t agree, other than of course that what they are doing
>> doesn’t work.
>>
>> Cheers,
>>
>> mm
>> xxxxx@hotmail.com wrote:
>>>> Apparently, he has faith about that as well,
>>> Faith can produce miracles. IIRC, yet another poster was looking for a
>>> way to handle interrupts in the user mode, and he was doing it FOR SIX
>>> MONTHS!!! Can you imagine how much faith he had…
>>>
>>> Anton Bassov
>
>
>
> Maybe they told their boss they could do it that way and they have no option to keep
working on it or they will get fired.
…another possibility is that their boss just happens to be an idiot who wants things to get done this way, so that, in order to make him accept their arguments, they post in the NGs in order to prove to him that it just cannot get done, and it takes a while before it finally gets in…
but keeping the paychecks coming in while looking for another job
Well, posting questions like that hardly improves your chances of finding a new job, don’t you think…
Anton Bassov
You seem to believe he is far more competent than the questions and
statements would indicate. When did you become such an optimistic person?
Not your usual viewpoint. Posting under a pseudonym/alias would be one way
to avoid having posts/questions not derail a job search. Most managers
would only do a superficial google query and not look for other types of
posts. I know most managers don’t even do the superficial search but the HR
departments in larger, established companies will do some but I don’t expect
most of either group to spend much time reading these technical groups
frequently. I have time because I don’t have too much of a life outside of
computers - some, but not the time consuming work involved in raising kids
or hobbies that take a lot of time.
wrote in message news:xxxxx@ntdev…
>> Maybe they told their boss they could do it that way and they have no
>> option to keep
>> working on it or they will get fired.
>
> …another possibility is that their boss just happens to be an idiot who
> wants things to get done this way, so that, in order to make him accept
> their arguments, they post in the NGs in order to prove to him that it
> just cannot get done, and it takes a while before it finally gets in…
>
>
>> but keeping the paychecks coming in while looking for another job
>
> Well, posting questions like that hardly improves your chances of finding
> a new job, don’t you think…
>
> Anton Bassov
>
>
>
> You seem to believe he is far more competent than the questions and statements would indicate.
I don’t mean the OP - I mean a poster who was looking for a way to handle interrupts in the UM.
I don’t see any other explanation for such persistence
The OP is a really exceptional case - he seems to be the only poster I’ve seen in so far who actually takes pride of his unwillingness to learn things…
Anton Bassov
thanks