static linking

NTDEV
1

hi all,

is it possible to statically load a routine into my drive. I want
PsCreateSystemThread to be added as part of my driver code and not an imp_

  • amitr0
2

A) why?
B) no.

On Friday, November 20, 2009, amitr0 wrote:
> hi all,
>
> is it possible to statically load a routine into my drive. I want PsCreateSystemThread to be added as part of my driver code and not an imp_
>
>
> –
>
> - amitr0
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Mark Roddy

3

I wouldn’t like to answer ‘A’ as it will become a war again…but if u
ask…
i want to all this function from it’s absolute address to avoid hooks, and i
don’t want to use any system rotine to hep find the address…(i am aware
of that what i am trying is not the best thing to try, and i have read all
the threads advicing against the same)

On Fri, Nov 20, 2009 at 4:52 PM, Mark Roddy wrote:

> A) why?
> B) no.
>
> On Friday, November 20, 2009, amitr0 wrote:
> > hi all,
> >
> > is it possible to statically load a routine into my drive. I want
> PsCreateSystemThread to be added as part of my driver code and not an imp_
> >
> >
> > –
> >
> > - amitr0
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Mark Roddy
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>



- amitr0

4

Having the absolute address of a function will not help you avoid
hooks as a trampoline can simply be inserted within the called
function itself. In fact this is the standard technique for hooking
kernel functions.

Regardless of your intentions, the answer is no, there is no such mechanism.

Mark Roddy

On Fri, Nov 20, 2009 at 6:30 AM, amitr0 wrote:
> I wouldn’t like to answer ‘A’ as it will become a war again…but if u
> ask…
> i want to all this function from it’s absolute address to avoid hooks, and i
> don’t want to use any system rotine to hep find the address…(i am aware
> of that what i am trying is not the best thing to try, and i have read all
> the threads advicing against the same)
>
> On Fri, Nov 20, 2009 at 4:52 PM, Mark Roddy wrote:
>>
>> A) why?
>> B) no.
>>
>> On Friday, November 20, 2009, amitr0 wrote:
>> > hi all,
>> >
>> > is it possible to statically load a routine into my drive. I want
>> > PsCreateSystemThread to be added as part of my driver code and not an imp_
>> >
>> >
>> > –
>> >
>> > - amitr0
>> >
>> >
>> > —
>> > NTDEV is sponsored by OSR
>> >
>> > For our schedule of WDF, WDM, debugging and other seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>>
>> –
>> Mark Roddy
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> –
>
> - amitr0
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

5

amitr0 wrote:

I wouldn’t like to answer ‘A’ as it will become a war again…but if u
ask…
i want to all this function from it’s absolute address to avoid hooks,
and i don’t want to use any system rotine to hep find the
address…(i am aware of that what i am trying is not the best thing
to try, and i have read all the threads advicing against the same)

You ought to be able to think this through yourself.

In some cases, a routine is available both as a static library and a
dynamic library. The most common such cases are the C run-time library,
MFC, and ATL. In that case, you can choose by selecting a different
.lib at link time.

With operating system services, that’s simply not the case. The code
ONLY exists in DLLs. The only libraries that are available are the
import libraries, which point to the DLLs. More, PsCreateSystemThread
is not self-contained. It calls many, many other system services.

If your system is compromised to the point where kernel entry points are
untrustworthy, then you are screwed. Game over, pick up your marbles
and go home. The situation is not recoverable, and nothing you can do
is going to help.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.