About Native api inline hook~

OSR_Community_User · July 20, 2007, 1:23am

In usermode if i inline hook a function .the Copy-On-Write will limit the effect range in the current process!
I want to know how dose it go in ring0?if i modify a ntoskrl.exe export function,will it effect other drivers or usermode calls?
Is there a Copy-On-Write in kernelland?

Í¨¹ý Live.com ²é¿´×ÊÑ¶¡¢ÓéÀÖÐÅÏ¢ºÍÄú¹ØÐÄµÄÆäËûÐÅÏ¢£¡
http://www.live.com/getstarted.aspx

anton_bassov · July 20, 2007, 2:44am

Hooking kernel is a technique that is generally frowned upon. It can get done (in my experience, safely), but in order to do something like that, you have to know *SIGNIFICANTLY* more than your questions suggest…

To begin with, Detours-style hooking just cannot get done in the kernel mode. Consider the following scenario:

The first instruction of the function is, say, 3 bytes long. Some thread executes the first instruction and gets pre-empted. Therefore, EIP that it will resume execution at points to the location 3 bytes away from the beginning of the function. While the thread is inactive, you modify the beginning of the function with 5-byte JMP instruction. What is going to happen when the thread in question resumes execution - its EIP points right to the middle of JMP instruction??? BANG!!!

As long as you are in the user mode, the whole thing can get fixed simply by SetThreadContext() - after all, all threads of the process are known in advance. However, you cannot do something like that in the kernel mode.

Check the following link
http://www.codeproject.com/system/soviet_direct_hooking.asp

You will see that the ONLY possible way to do it safely lies with hooking INT 1 and INT 3 handlers, and inserting INT 3 instruction to the beginning of the function, i.e. doing things more or less the way debuggers do (actually, you can do it without hooking INT 3 if you decide to use undocumented one-byte INT1 opcode instead, but this is already a bit to the extreme). Besides this, you will also see an answer to your original question - it lies with WP bit in CR0

However, in practical terms, I would not advise you to do it - with your level of knowledge you are almost guaranteed to screw up the system…

Anton Bassov

OSR_Community_User · July 20, 2007, 5:53am

hi~thanks a lot,it seems that i have a long long way to go…

Date: Fri, 20 Jul 2007 02:46:22 -0400> From: xxxxx@hotmail.com> To: xxxxx@lists.osr.com> Subject: RE:[ntdev] About Native api inline hook~> > Hooking kernel is a technique that is generally frowned upon. It can get done (in my experience, safely), but in order to do something like that, you have to know *SIGNIFICANTLY* more than your questions suggest…> > To begin with, Detours-style hooking just cannot get done in the kernel mode. Consider the following scenario:> > The first instruction of the function is, say, 3 bytes long. Some thread executes the first instruction and gets pre-empted. Therefore, EIP that it will resume execution at points to the location 3 bytes away from the beginning of the function. While the thread is inactive, you modify the beginning of the function with 5-byte JMP instruction. What is going to happen when the thread in question resumes execution - its EIP points right to the middle of JMP instruction??? BANG!!!> > As long as you are in the user mode, the whole thing can get fixed simply by SetThreadContext() - after all, all threads of the process are known in advance. However, you cannot do something like that in the kernel mode.> > Check the following link > http://www.codeproject.com/system/soviet_direct_hooking.asp\> > > > You will see that the ONLY possible way to do it safely lies with hooking INT 1 and INT 3 handlers, and inserting INT 3 instruction to the beginning of the function, i.e. doing things more or less the way debuggers do (actually, you can do it without hooking INT 3 if you decide to use undocumented one-byte INT1 opcode instead, but this is already a bit to the extreme). Besides this, you will also see an answer to your original question - it lies with WP bit in CR0> > However, in practical terms, I would not advise you to do it - with your level of knowledge you are almost guaranteed to screw up the system…> > Anton Bassov> > > > > —> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256\> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

ÖÐ¹úÊ®´óÈÈÃÅÂÃÓÎ¾°µã
http://search.msn.com/results.aspx?q=中国十大风景&mkt=zh-CN&form=QBRE