SSDT

I put this post very similar to the other forum. I hope for an answer.

I need to implement a fast hook for some I/O system service calls, like ZwCreateFile, ZwWriteFile, . . . .
I don’t have the time to write a FS Filter Driver, my app really needs to come out pretty fast.

I thought of using the KeServiceDescriptorTable hook method.

I’ve read some posts on OSR and no one really recommended this method. I believe that if I stick to some really simple things in the hooks, and only hook few functions, the driver will work fine.
Is this a good approach ? Is this feasible for short time ?

If you want your sw is considered as a rootkit go ahead.
-bg

>

I put this post very similar to the other forum. I hope for an answer.

I need to implement a fast hook for some I/O system service calls, like
ZwCreateFile, ZwWriteFile, . . . .

BAD! BAD!

I don’t have the time to write a FS Filter Driver, my app really needs
to come out pretty fast.

Don’t have time? That’s bad… Your entire development effort will be a waste if you need to support your driver for 64 bit.
Kernel Patch Protection is there.
Your app needs to come out fast… and then what? I am sure you want that app to survive… Right?

I thought of using the KeServiceDescriptorTable hook method.

I’ve read some posts on OSR and no one really recommended this method.
I believe that if I stick to some really simple things in the hooks,
and only hook few functions, the driver will work fine.
Is this a good approach ? Is this feasible for short time ?

If your work is so less that you are confident that you can get it working with a hook, I am sure you can as well develop a minifilter.

Regards,
Ayush Gupta

Incredible!!! You have made a post on NTDEV, got pretty cold response, and now try asking the same question on NTFSD. Do you really think the answer will change???

I don’t have the time

But you seem to have enough time to post the same question multiple times, although the answer is known in advance…

Anton Bassov

anton,
u’re incredible.
The questions were posted at the same time.
If you will wathc the post date, they are posted at a difference time of a couple of minutes.
The other point that I want underline, especially for you, because I see that you have something against me.

  1. I am a student, and, the school imposed using KeServiceDescriptorTable as a way of intercepting system services. I also told my teachers that this is not the way to go for implementing anything kernel mode. I wanted to know your opinion, and you all mocked at me
    this is the link with the homework:

http://cs.pub.ro/~pso/index.php?section=Teme&file=01.%20Interceptare%20apeluri%20de%20sistem

  1. I did not disagree with what you said about this topic, I totally agree, in fact I was happy that you have said such a straight opinion on this topic, because now I can show my teachers what other more experienced driver writers thing of the topic. I told them that teaching us to write legacy file system fileter or a minifilter would be much usefull. If not teaching us how to properly write one, how to better understand one.

  2. if you have nothing better to say for my post, I asked you several times, don’t answer. I would really appreciate not seeing you as one of the replyers if you have nothing good/constructive to say.

That is all I had to say.
Thank you all for your replies.

Your OP didn’t gave any impression about whether it was a School Project. It
looked like you were trying to build a Commercial App / Maleware (In
Disguise). If you would have asked a straightforward question citing the
requirement of your School Project you would have got the opinion without
the heat.

This is a NG for the Devs who religiously believe in writing the code as per
the established best practice and doing the right thing…so if you found
the responses offensive then let me tell you, here nobody is against
anybody…but everybody is against someone who is trying to learn
Subverting. Nobody knew your intention at least the intention which was
understood was from your OP clearly sounded like a Dev who doesn’t want to
adhere to standard practice because of his ignorance or he is writing a
Maleware (Rootkit).

So, if your intentions were what you just mentioned then you shouldn’t be
taking any comments / replies personally.

On Sat, Jul 26, 2008 at 3:18 PM, wrote:

> anton,
> u’re incredible.
> The questions were posted at the same time.
> If you will wathc the post date, they are posted at a difference time of a
> couple of minutes.
> The other point that I want underline, especially for you, because I see
> that you have something against me.
>
> 1) I am a student, and, the school imposed using KeServiceDescriptorTable
> as a way of intercepting system services. I also told my teachers that this
> is not the way to go for implementing anything kernel mode. I wanted to know
> your opinion, and you all mocked at me
> this is the link with the homework:
>
>
> http://cs.pub.ro/~pso/index.php?section=Teme&file=01.%20Interceptare%20apeluri%20de%20sistem
>
> 2) I did not disagree with what you said about this topic, I totally agree,
> in fact I was happy that you have said such a straight opinion on this
> topic, because now I can show my teachers what other more experienced driver
> writers thing of the topic. I told them that teaching us to write legacy
> file system fileter or a minifilter would be much usefull. If not teaching
> us how to properly write one, how to better understand one.
>
> 3) if you have nothing better to say for my post, I asked you several
> times, don’t answer. I would really appreciate not seeing you as one of the
> replyers if you have nothing good/constructive to say.
>
> That is all I had to say.
> Thank you all for your replies.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@eccellente-it.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Thanks & Regards

Pushkar Prasad | Email: xxxxx@eccellente-it.com | URL:
http://www.eccellente-it.com |

“A positive attitude may not solve all your problems, but it will annoy
enough people to make it worth the effort.” -Herm Albright

Ok, Pushkar, thank you very much for you reply. Now everything is OK.

Gabriel,

The other point that I want underline, especially for you, because I see that you have
something against me. 1) I am a student,

From now on I’ve got ABSOLUTELY nothing against you - as long as you do your study projects there is no problem whatsoever. I was just mistakenly thinking that you were doing it all commercially for some outsourcing company. This is why you were getting “not-so-friendly” replies from me.

To be honest, I am pretty surprised about your choice of the target OS. Why don’t you want to study something else, i.e. some OS that allows you to do whatever you want with its kernel - instead of hooking system calls, you will be able to modify the behavior of the existing calls, add new ones, add new API and features , and, in all respects, do whatever gets into your head at this particular moment…

Anton Bassov

I haven’t followed this thread at all, but in one man’s opinion, I would personally think long and hard about your idea to tell your
professor ‘what other more experienced driver writers thing of the topic.’ I don’t know where you are located, but in the US, I’ve
not often found that professors respond to suggestions like this all that well, though I think you’re approach - find out what
people who actually do this stuff for a living say - makes a lot of sense.

Good luck,

mm

xxxxx@gmail.com wrote:

anton,
u’re incredible.
The questions were posted at the same time.
If you will wathc the post date, they are posted at a difference time of a couple of minutes.
The other point that I want underline, especially for you, because I see that you have something against me.

  1. I am a student, and, the school imposed using KeServiceDescriptorTable as a way of intercepting system services. I also told my teachers that this is not the way to go for implementing anything kernel mode. I wanted to know your opinion, and you all mocked at me
    this is the link with the homework:

http://cs.pub.ro/~pso/index.php?section=Teme&file=01.%20Interceptare%20apeluri%20de%20sistem

  1. I did not disagree with what you said about this topic, I totally agree, in fact I was happy that you have said such a straight opinion on this topic, because now I can show my teachers what other more experienced driver writers thing of the topic. I told them that teaching us to write legacy file system fileter or a minifilter would be much usefull. If not teaching us how to properly write one, how to better understand one.

  2. if you have nothing better to say for my post, I asked you several times, don’t answer. I would really appreciate not seeing you as one of the replyers if you have nothing good/constructive to say.

That is all I had to say.
Thank you all for your replies.

I would say that, in that case Martin, the professor should be guided to the various web articles dealing with the downsides of these techniques, those companies that still choose to use them e.g. Kaspersky, and the reasons why the seasoned professional engineers (unlike myself) on this list tend to instantly lambast from New York to Sydney, without mercy - those who request advice on using these techniques in commercial products.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Monday, July 28, 2008 16:17
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] SSDT

I haven’t followed this thread at all, but in one man’s opinion, I would personally think long and hard about your idea to tell your
professor ‘what other more experienced driver writers thing of the topic.’ I don’t know where you are located, but in the US, I’ve
not often found that professors respond to suggestions like this all that well, though I think you’re approach - find out what
people who actually do this stuff for a living say - makes a lot of sense.

Good luck,

mm

xxxxx@gmail.com wrote:

anton,
u’re incredible.
The questions were posted at the same time.
If you will wathc the post date, they are posted at a difference time of a couple of minutes.
The other point that I want underline, especially for you, because I see that you have something against me.

  1. I am a student, and, the school imposed using KeServiceDescriptorTable as a way of intercepting system services. I also told my teachers that this is not the way to go for implementing anything kernel mode. I wanted to know your opinion, and you all mocked at me
    this is the link with the homework:

http://cs.pub.ro/~pso/index.php?section=Teme&file=01.%20Interceptare%20apeluri%20de%20sistem

  1. I did not disagree with what you said about this topic, I totally agree, in fact I was happy that you have said such a straight opinion on this topic, because now I can show my teachers what other more experienced driver writers thing of the topic. I told them that teaching us to write legacy file system fileter or a minifilter would be much usefull. If not teaching us how to properly write one, how to better understand one.

  2. if you have nothing better to say for my post, I asked you several times, don’t answer. I would really appreciate not seeing you as one of the replyers if you have nothing good/constructive to say.

That is all I had to say.
Thank you all for your replies.


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@blocksoft.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3303 (20080728) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3303 (20080728) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

A bit OT: before you blast people using the hooks on XP, remember that the registry mechanism callbacks on XP are far from useful, and XP is still if not the top than the second top used OS.
A very very very big customer once asked me to confirm (as a consultant) whether a second company is right in that hooks should not be used. The bottom line was… he asked “Is there an alternative?” - no - “thank you, case closed.”. I won’t name the customer, but they are a large (>100K employees) company and are using products with hooks consciously.

Dejan.

Crispin Wright wrote:

I would say that, in that case Martin, the professor should be guided to the various web articles dealing with the downsides of these techniques, those companies that still choose to use them e.g. Kaspersky, and the reasons why the seasoned professional engineers (unlike myself) on this list tend to instantly lambast from New York to Sydney, without mercy - those who request advice on using these techniques in commercial products.


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

It’s good when someone who knows the inside out and went thru the history
of hooking comes out and objectively explains the good and bad side of it.
Why the hell some people had to do it in the first place … etc.

But there are lot who are just “Bagpiper” …

-pro

A bit OT: before you blast people using the hooks on XP, remember that
the registry mechanism callbacks on XP are far from useful, and XP is
still if not the top than the second top used OS.
A very very very big customer once asked me to confirm (as a
consultant) whether a second company is right in that hooks should not
be used. The bottom line was… he asked “Is there an alternative?” -
no - “thank you, case closed.”. I won’t name the customer, but they
are a large (>100K employees) company and are using products with
hooks consciously.

Dejan.

Crispin Wright wrote:

> I would say that, in that case Martin, the professor should be guided to
> the various web articles dealing with the downsides of these techniques,
> those companies that still choose to use them e.g. Kaspersky, and the
> reasons why the seasoned professional engineers (unlike myself) on this
> list tend to instantly lambast from New York to Sydney, without mercy -
> those who request advice on using these techniques in commercial
> products.


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Dejan Maksimovic wrote:

A bit OT: before you blast people using the hooks on XP, remember
that > the registry mechanism callbacks on XP are far from useful […]

The registry callback mechanism on XP is, as I understand it, broken.
Period. Even if it could be deemed functional, its implementation is a
shadow of that on Server and Vista.

and XP is still if not the top than the second top used OS.

I think XP will be the biggest player until a Vista replacement is
accepted. Sorry Microsoft but its been a year and a half and the
consensus is not good. (Heck, my bank (US) is still happy with Windows
2000…)

The best approach here is to not knock hooking but to advise how to do
hooking right. You *can* produce production code that uses hooking.

Regards, Mickey.

Thanks everyone for your replies.

@Anton
Thanks for understanding my problem.
high 5 :slight_smile:

> The best approach here is to not knock hooking but to advise how to do hooking right.

You *can* produce production code that uses hooking.

The problem that just cannot be avoided, no matter how “properly” you hook, is contention. Let’s say two products want to hook SSDT, IDT or any other system table, and both want to be the first i(or the last, or the only one) in a call chain. It is understandable that only one of them may be successful. At the same time, they both may be unsuccessful - it will happen if they actively try to screw up one another’s operations.
Although it may be a good fun to watch this “contest”, you don’t really want it to take place on your machine, do you???

Other problems may *theoretically* be avoided if you do things properly, but you just cannot do anything about contention…

Anton Bassov

xxxxx@hotmail.com wrote:

The problem that just cannot be avoided, no matter how “properly” you hook, is contention. Let’s say two products want to hook SSDT, IDT or any other system table, and both want to be the first i(or the last, or the only one) in a call chain. It is understandable that only one of them may be successful. At the same time, they both may be unsuccessful - it will happen if they actively try to screw up one another’s operations.
Although it may be a good fun to watch this “contest”, you don’t really want it to take place on your machine, do you???

Other problems may *theoretically* be avoided if you do things properly, but you just cannot do anything about contention…

>>>

And a Corollary to this is that "Any practical program without any
formal proof can not be called bug-free, so why bother programming :slight_smile:

-pro

> And a Corollary to this is that "Any practical program without any formal proof can not be

called bug-free, so why bother programming :slight_smile:

You seem to have pretty bizarre logic…

First of all, the above statement does not follow from the one, which, according to you, it logically follows from. Second, the above statement is simply false in itself (unless you say it strictly in context of Windows programming, where system failure is considered as absolutely normal scenario, so that Windows programs just cannot be allowed to control critical tasks like air traffic or missile defense)…

Anton Bassov

Someone tries to create problems instead of solving them. I’ll leave you with this: you have a choice to use the immoral, buggy, unorthodox hooking for your products in order to have your company survive - or be a good boy, use only orthodox techniques (none of which are available for the particular problem at hand), and let another company make the product, leaving yours in the dust.
Do you even see a choice above? If you do, let me know to add you to the “never call him/her for an job interview” list :wink:


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

> Someone tries to create problems instead of solving them. I’ll leave you
with

this: you have a choice to use the immoral, buggy, unorthodox hooking for your
products in order to have your company survive - or be a good boy, use only
orthodox techniques (none of which are available for the particular problem at
hand), and let another company make the product, leaving yours in the dust.

Exactly so.

What is irritating with hooking is that very often people use it in a situation
when there is a documented solution, it just requires more coding.

For instance, NDIS hooking using undocumented structures which is
exceptionally bad. All of this can be done in an IM.

Using SSDT hooking as the first approach to monitor file read/writes is just
plain funny, consider Notepad :slight_smile:


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Yes, but 99% of the hook questions on NTFSD are related to registry hooking
where CmRegisterCallback is useless (read: 70-90% of the Windows installations
worldwide?)

“Maxim S. Shatskih” wrote:

> Someone tries to create problems instead of solving them. I’ll leave you
with
>this: you have a choice to use the immoral, buggy, unorthodox hooking for your
>products in order to have your company survive - or be a good boy, use only
>orthodox techniques (none of which are available for the particular problem at
>hand), and let another company make the product, leaving yours in the dust.

Exactly so.

What is irritating with hooking is that very often people use it in a situation
when there is a documented solution, it just requires more coding.

For instance, NDIS hooking using undocumented structures which is
exceptionally bad. All of this can be done in an IM.

Using SSDT hooking as the first approach to monitor file read/writes is just
plain funny, consider Notepad :slight_smile:


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.