API Hooking Issues

NTFSD
1

hi all experts

I am facing a problem regarding saving an msword file in encrypted format

I have hooked all the required NTDLL APIs in my DLL.

Using this code, I can open a MS-Word document (which is already in
encyypted format) and applying decryption algortihm to view the
decrypted contents of the document. This all goes fine.

Now problem is : If I make any changes in the .doc file and try to
save the changes then my changes should be encrypted and then saved to
disk in the same .doc file. But this is not working, instead its
saving the normal contents, i.e. not the encrypted one. but there is a
call of encryption as well so can u help me in this

(Have a look at the code, as follows:)

NTSTATUS __stdcall hookNtCreateSection( OUT PHANDLE SectionHandle,
IN ACCESS_MASK
DesiredAccess,
IN
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER
MaximumSize OPTIONAL,
IN ULONG
SectionPageProtection OPTIONAL,
IN ULONG
AllocationAttributes,
IN HANDLE
FileHandle OPTIONAL )
{
NTSTATUS returnValue = originalNtCreateSection(SectionHandle,
DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection,
AllocationAttributes, FileHandle);

CAtlStringW strPath;
g_mapHandleToPath.Lookup(FileHandle, strPath);

if(IsMyArea(strPath)) // check if its my file
{
//MessageBox(NULL, L"attach your process now",
L"hookNtCreateSection", 0);
//g_SectionHandle = *SectionHandle;
g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
SECURED_FILE = strPath; // keep the path of my file
}

if((strPath.Find(L"~WRL") != -1) || (strPath.Find(L"~wrl") != -1))
{
int k = 0;
g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
SECURED_FILE = strPath;
}

return returnValue;

}

NTSTATUS __stdcall hookNtMapViewOfSection(IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress OPTIONAL,
IN ULONG ZeroBits OPTIONAL,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PSIZE_T ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType OPTIONAL,
IN ULONG Protect )
{
unsigned long ulLength = *ViewSize;
CAtlStringW strPath;

NTSTATUS returnValue = originalNtMapViewOfSection(SectionHandle,
ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset,
ViewSize, InheritDisposition, AllocationType, Protect);

if(g_mapSectionHandleToPath.Lookup(SectionHandle, strPath) == TRUE)
{
BYTE* cDecryptBuffer = new BYTE[ulLength];
g_BaseAddress = new BYTE[ulLength];
CEncodeDecode encodeDecode;
encodeDecode.EncodeDecode((BYTE*) (*BaseAddress),
cDecryptBuffer,
ulLength); // encode the current data/buffer
// Keep the current BaseAddress in global variable which
will be
used
// later in hookNtUnmapViewOfSection to unmap the same
g_BaseAddress = *BaseAddress;
*BaseAddress = (LPVOID) cDecryptBuffer;
// update the old data/
buffer with our encoded data
}

return returnValue;

}

NTSTATUS __stdcall hookNtUnmapViewOfSection(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress )
{
NTSTATUS returnValue = originalNtUnmapViewOfSection(ProcessHandle,
BaseAddress);

if(returnValue != 0)
{
if(g_BaseAddress != NULL)
{
returnValue =
originalNtUnmapViewOfSection(ProcessHandle,
g_BaseAddress);

//g_mapSectionHandleToPath.RemoveHandle(ProcessHandle);
}
}

return returnValue;

2

Hello

I’m not sure I’d think of myself as an expert but I’ll see if I can help.

I doubt if you want to hear this but I dont think you will get much help
here with this kind of hooking. The advice is to write a file system filter
and to be more specific a mini filter driver. I hope you will consider this
advice; if you do then you can search this list at the orsonline site for
say “encrypt” and you will receive an enormous amount of information which
should be of help to you.

You might also consider getting in touch with OSR about their DMK product
which was created for the speciifc case of data modification filters such as
encryption filters. I have not used it but in my experience the good folk at
OSR are the reale experts and I’d assume the DMK is first class; if our
company needed an encryption driver I’d not hesitate to evaluate this
product in the first instance.

Best Wishes
Lyndon

wrote in message news:xxxxx@ntfsd…
> hi all experts
>
> I am facing a problem regarding saving an msword file in encrypted format
>
> I have hooked all the required NTDLL APIs in my DLL.
>
> Using this code, I can open a MS-Word document (which is already in
> encyypted format) and applying decryption algortihm to view the
> decrypted contents of the document. This all goes fine.
>
> Now problem is : If I make any changes in the .doc file and try to
> save the changes then my changes should be encrypted and then saved to
> disk in the same .doc file. But this is not working, instead its
> saving the normal contents, i.e. not the encrypted one. but there is a
> call of encryption as well so can u help me in this
>
> (Have a look at the code, as follows:)
>
> NTSTATUS __stdcall hookNtCreateSection( OUT PHANDLE SectionHandle,
> IN ACCESS_MASK
> DesiredAccess,
> IN
> POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN PLARGE_INTEGER
> MaximumSize OPTIONAL,
> IN ULONG
> SectionPageProtection OPTIONAL,
> IN ULONG
> AllocationAttributes,
> IN HANDLE
> FileHandle OPTIONAL )
> {
> NTSTATUS returnValue = originalNtCreateSection(SectionHandle,
> DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection,
> AllocationAttributes, FileHandle);
>
> CAtlStringW strPath;
> g_mapHandleToPath.Lookup(FileHandle, strPath);
>
> if(IsMyArea(strPath)) // check if its my file
> {
> //MessageBox(NULL, L"attach your process now",
> L"hookNtCreateSection", 0);
> //g_SectionHandle = *SectionHandle;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle,
> strPath);
> SECURED_FILE = strPath; // keep the path of my file
> }
>
> if((strPath.Find(L"~WRL") != -1) ||
> (strPath.Find(L"~wrl") != -1))
> {
> int k = 0;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle,
> strPath);
> SECURED_FILE = strPath;
> }
>
> return returnValue;
>
> }
>
> NTSTATUS__stdcall hookNtMapViewOfSection(IN HANDLE SectionHandle,
> IN HANDLE ProcessHandle,
> IN OUT PVOID BaseAddress OPTIONAL,
> IN ULONG ZeroBits OPTIONAL,
> IN ULONG CommitSize,
> IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
> IN OUT PSIZE_T ViewSize,
> IN SECTION_INHERIT InheritDisposition,
> IN ULONG AllocationType OPTIONAL,
> IN ULONG Protect )
> {
> unsigned long ulLength = ViewSize;
> CAtlStringW strPath;
>
> NTSTATUS returnValue = originalNtMapViewOfSection(SectionHandle,
> ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset,
> ViewSize, InheritDisposition, AllocationType, Protect);
>
> if(g_mapSectionHandleToPath.Lookup(SectionHandle, strPath) == TRUE)
> {
> BYTE cDecryptBuffer = new BYTE[ulLength];
> g_BaseAddress = new BYTE[ulLength];
> CEncodeDecode encodeDecode;
> encodeDecode.EncodeDecode((BYTE) (*BaseAddress),
> cDecryptBuffer,
> ulLength); // encode the current data/buffer
> // Keep the current BaseAddress in global variable which
> will be
> used
> // later in hookNtUnmapViewOfSection to unmap the same
> g_BaseAddress = *BaseAddress;
> *BaseAddress = (LPVOID) cDecryptBuffer;
> // update the old data/
> buffer with our encoded data
> }
>
> return returnValue;
>
> }
>
> NTSTATUS __stdcall hookNtUnmapViewOfSection(
> IN HANDLE ProcessHandle,
> IN PVOID BaseAddress )
> {
> NTSTATUS returnValue = originalNtUnmapViewOfSection(ProcessHandle,
> BaseAddress);
>
> if(returnValue != 0)
> {
> if(g_BaseAddress != NULL)
> {
> returnValue =
> originalNtUnmapViewOfSection(ProcessHandle,
> g_BaseAddress);
>
> //g_mapSectionHandleToPath.RemoveHandle(ProcessHandle);
> }
> }
>
> return returnValue;
>

3

Hi Lyndon

Thanks actually as u have suggested to make use of mini filter driver, I am doing that as well but right now the issue is that we can read/write an .txt file with edit plus utility but that thing is not working with notepad.exe so can u help me out in this. If u need i can provide u that code or can help me to think towards a right direction.

4

Hi,

Hooking can’t intercept requests to memory mapped files. Only kernel mode
file system filter can do this. In fact, simple FSD filter won’t help, you
need a more elaborated system such as layered FSD.


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> hi all experts
>
> I am facing a problem regarding saving an msword file in encrypted format
>
> I have hooked all the required NTDLL APIs in my DLL.
>
> Using this code, I can open a MS-Word document (which is already in
> encyypted format) and applying decryption algortihm to view the
> decrypted contents of the document. This all goes fine.
>
> Now problem is : If I make any changes in the .doc file and try to
> save the changes then my changes should be encrypted and then saved to
> disk in the same .doc file. But this is not working, instead its
> saving the normal contents, i.e. not the encrypted one. but there is a
> call of encryption as well so can u help me in this
>
> (Have a look at the code, as follows:)
>
> NTSTATUS __stdcall hookNtCreateSection( OUT PHANDLE SectionHandle,
> IN ACCESS_MASK
> DesiredAccess,
> IN
> POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN PLARGE_INTEGER
> MaximumSize OPTIONAL,
> IN ULONG
> SectionPageProtection OPTIONAL,
> IN ULONG
> AllocationAttributes,
> IN HANDLE
> FileHandle OPTIONAL )
> {
> NTSTATUS returnValue = originalNtCreateSection(SectionHandle,
> DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection,
> AllocationAttributes, FileHandle);
>
> CAtlStringW strPath;
> g_mapHandleToPath.Lookup(FileHandle, strPath);
>
> if(IsMyArea(strPath)) // check if its my file
> {
> //MessageBox(NULL, L"attach your process now",
> L"hookNtCreateSection", 0);
> //g_SectionHandle = *SectionHandle;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle,
> strPath);
> SECURED_FILE = strPath; // keep the path of my file
> }
>
> if((strPath.Find(L"~WRL") != -1) ||
> (strPath.Find(L"~wrl") != -1))
> {
> int k = 0;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle,
> strPath);
> SECURED_FILE = strPath;
> }
>
> return returnValue;
>
> }
>
> NTSTATUS__stdcall hookNtMapViewOfSection(IN HANDLE SectionHandle,
> IN HANDLE ProcessHandle,
> IN OUT PVOID BaseAddress OPTIONAL,
> IN ULONG ZeroBits OPTIONAL,
> IN ULONG CommitSize,
> IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
> IN OUT PSIZE_T ViewSize,
> IN SECTION_INHERIT InheritDisposition,
> IN ULONG AllocationType OPTIONAL,
> IN ULONG Protect )
> {
> unsigned long ulLength = ViewSize;
> CAtlStringW strPath;
>
> NTSTATUS returnValue = originalNtMapViewOfSection(SectionHandle,
> ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset,
> ViewSize, InheritDisposition, AllocationType, Protect);
>
> if(g_mapSectionHandleToPath.Lookup(SectionHandle, strPath) == TRUE)
> {
> BYTE cDecryptBuffer = new BYTE[ulLength];
> g_BaseAddress = new BYTE[ulLength];
> CEncodeDecode encodeDecode;
> encodeDecode.EncodeDecode((BYTE) (*BaseAddress),
> cDecryptBuffer,
> ulLength); // encode the current data/buffer
> // Keep the current BaseAddress in global variable which
> will be
> used
> // later in hookNtUnmapViewOfSection to unmap the same
> g_BaseAddress = *BaseAddress;
> *BaseAddress = (LPVOID) cDecryptBuffer;
> // update the old data/
> buffer with our encoded data
> }
>
> return returnValue;
>
> }
>
> NTSTATUS __stdcall hookNtUnmapViewOfSection(
> IN HANDLE ProcessHandle,
> IN PVOID BaseAddress )
> {
> NTSTATUS returnValue = originalNtUnmapViewOfSection(ProcessHandle,
> BaseAddress);
>
> if(returnValue != 0)
> {
> if(g_BaseAddress != NULL)
> {
> returnValue =
> originalNtUnmapViewOfSection(ProcessHandle,
> g_BaseAddress);
>
> //g_mapSectionHandleToPath.RemoveHandle(ProcessHandle);
> }
> }
>
> return returnValue;
>

5

Hi slava

actually as i have explained we r having mini filter driver so more specifically we have SwapBuffers, minispy,filespy any much more but not getting the right direction to proceed the work on with can u suggests some thing in this area and does this mini filter driver lies in the category of layered FSD

6

I don’t know any open source( or at least available as a source code )
realization of layered FSD, only some peace of code scattered over the web.
Wnen I needed it( more than 3 years ago ), I did it myself.
Currently, there is a commercial OSR’s product -Data Modification Kit that
does this.

You can try to realize an encrypting part of a product by FSD such as
SwapBuffers, but there are a lot of problems on this way. I presume that
you will manage to create a FSD filter that provides desired functionality
in case of simplest encryption for well known FSDs such as NTFS and
FastFAT( in the moment of the development, but the new versions can ruin
your efforts ).


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> Hi slava
>
> actually as i have explained we r having mini filter driver so more
> specifically we have SwapBuffers, minispy,filespy any much more but not
> getting the right direction to proceed the work on with can u suggests
> some thing in this area and does this mini filter driver lies in the
> category of layered FSD
>

7

Memory-mapped file IO is not touched by your hooking.

Hooking for file encryption does not work. Use the SwapBuffers-based
minifilter.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> hi all experts
>
> I am facing a problem regarding saving an msword file in encrypted format
>
> I have hooked all the required NTDLL APIs in my DLL.
>
> Using this code, I can open a MS-Word document (which is already in
> encyypted format) and applying decryption algortihm to view the
> decrypted contents of the document. This all goes fine.
>
> Now problem is : If I make any changes in the .doc file and try to
> save the changes then my changes should be encrypted and then saved to
> disk in the same .doc file. But this is not working, instead its
> saving the normal contents, i.e. not the encrypted one. but there is a
> call of encryption as well so can u help me in this
>
> (Have a look at the code, as follows:)
>
> NTSTATUS __stdcall hookNtCreateSection( OUT PHANDLE SectionHandle,
> IN ACCESS_MASK
> DesiredAccess,
> IN
> POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN PLARGE_INTEGER
> MaximumSize OPTIONAL,
> IN ULONG
> SectionPageProtection OPTIONAL,
> IN ULONG
> AllocationAttributes,
> IN HANDLE
> FileHandle OPTIONAL )
> {
> NTSTATUS returnValue = originalNtCreateSection(SectionHandle,
> DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection,
> AllocationAttributes, FileHandle);
>
> CAtlStringW strPath;
> g_mapHandleToPath.Lookup(FileHandle, strPath);
>
> if(IsMyArea(strPath)) // check if its my file
> {
> //MessageBox(NULL, L"attach your process now",
> L"hookNtCreateSection", 0);
> //g_SectionHandle = *SectionHandle;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
> SECURED_FILE = strPath; // keep the path of my file
> }
>
> if((strPath.Find(L"~WRL") != -1) ||
(strPath.Find(L"~wrl") != -1))
> {
> int k = 0;
> g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
> SECURED_FILE = strPath;
> }
>
> return returnValue;
>
> }
>
> NTSTATUS__stdcall hookNtMapViewOfSection(IN HANDLE SectionHandle,
> IN HANDLE ProcessHandle,
> IN OUT PVOID BaseAddress OPTIONAL,
> IN ULONG ZeroBits OPTIONAL,
> IN ULONG CommitSize,
> IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
> IN OUT PSIZE_T ViewSize,
> IN SECTION_INHERIT InheritDisposition,
> IN ULONG AllocationType OPTIONAL,
> IN ULONG Protect )
> {
> unsigned long ulLength = ViewSize;
> CAtlStringW strPath;
>
> NTSTATUS returnValue = originalNtMapViewOfSection(SectionHandle,
> ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset,
> ViewSize, InheritDisposition, AllocationType, Protect);
>
> if(g_mapSectionHandleToPath.Lookup(SectionHandle, strPath) == TRUE)
> {
> BYTE cDecryptBuffer = new BYTE[ulLength];
> g_BaseAddress = new BYTE[ulLength];
> CEncodeDecode encodeDecode;
> encodeDecode.EncodeDecode((BYTE) (*BaseAddress),
> cDecryptBuffer,
> ulLength); // encode the current data/buffer
> // Keep the current BaseAddress in global variable which
> will be
> used
> // later in hookNtUnmapViewOfSection to unmap the same
> g_BaseAddress = *BaseAddress;
> *BaseAddress = (LPVOID) cDecryptBuffer;
> // update the old data/
> buffer with our encoded data
> }
>
> return returnValue;
>
> }
>
> NTSTATUS __stdcall hookNtUnmapViewOfSection(
> IN HANDLE ProcessHandle,
> IN PVOID BaseAddress )
> {
> NTSTATUS returnValue = originalNtUnmapViewOfSection(ProcessHandle,
> BaseAddress);
>
> if(returnValue != 0)
> {
> if(g_BaseAddress != NULL)
> {
> returnValue =
> originalNtUnmapViewOfSection(ProcessHandle,
> g_BaseAddress);
>
> //g_mapSectionHandleToPath.RemoveHandle(ProcessHandle);
> }
> }
>
> return returnValue;
>

8

>plus utility but that thing is not working with notepad.exe

Correct. Notepad uses memory-mapped files, which are not touched by hooking.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

9

How do i use SwapBuffers for memory mapping of any file do u guys have any idea about that

10

In the read and write callbacks of a mini-filter you can detect all
non-cached I/O and do the decrypt/encrypt at that point. What you have not
said was are you trying to be selective on file access within your filter
or not. Basically, the approach of catching the reads/writes for
non-cached says that all applications can access the file, i.e. basically
you have provided an encryption for a class of files that once you allow
any application to access unencrypted all application can do so.

If you are looking for more than the above you are really looking at a lot
of work. The above is still a significant effort to get right.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> How do i use SwapBuffers for memory mapping of any file do u guys have
> any idea about that
>

11

> How do i use SwapBuffers for memory mapping of any file do u guys have any

idea about that

Encrypt on write and decrypt on read( at a completion ) all paging or
non-cached requests for a file and remove encryption/decryption code from
hooks.
As I said, this is not a good approach, but I think it is the easiest one
for you.


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> How do i use SwapBuffers for memory mapping of any file do u guys have any
> idea about that
>

12

hi Salva
Thanks for the help

I have some quesries as follows:

  1. Do you mean that I will remove the encryption/decryption logic from NTCreateSection and NtMapViewOfSection, and place the same in only NtreadFile and NTWrite functions. Please confirm?

  2. In which hooked NTDLL API function I will get “all paging or non-cached requests”?

As I think for notepad and MS-Word application files it does not come into the NtReadFile and NTWriteFile API calls. As I have already tested the same.

Please foucs some more light on the above, so that I proceed with the development work with hooking approach.

13

> Please foucs some more light on the above, so that I proceed with the

development work with hooking approach.

Hooking approach will not work, it is an erroneous way.
Search the archive there are a lot information about encryption/decryption
and why there are problems with notepad.

  1. Do you mean that I will remove the encryption/decryption logic from
    NTCreateSection and NtMapViewOfSection, and place the same in only
    NtreadFile and NTWrite functions. Please confirm?

Yes. Confirmed. Also, remove encryption/decryption logic from
NtReadFile/NtWriteFile and all others.

  1. In which hooked NTDLL API function I will get “all paging or non-cached
    requests”?

This notion is applied to the kernel mode, paging requests - stands for
requests sent by Memory Manager( search the archive ) they have
IRP_PAGING_IO or/and IRP_SYNCHRONOUS_PAGING_IO flags set, non-cached -
stands for request that are supposed to be processed w/o using Cache
Manager( and this will be a problem in case of FSD filter, because an
underlying FSD might use cache in any case), these requests have IRP_NOCACHE
flag.


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> hi Salva
> Thanks for the help
>
> I have some quesries as follows:
>
> 1. Do you mean that I will remove the encryption/decryption logic from
> NTCreateSection and NtMapViewOfSection, and place the same in only
> NtreadFile and NTWrite functions. Please confirm?
>
> 2. In which hooked NTDLL API function I will get “all paging or non-cached
> requests”?
>
> As I think for notepad and MS-Word application files it does not come into
> the NtReadFile and NTWriteFile API calls. As I have already tested the
> same.
>
> Please foucs some more light on the above, so that I proceed with the
> development work with hooking approach.
>
>
>
>

14

If you are saying (talking about hooking approach) that remove encryption/decryption logic from NTCreateSection, NtMapViewOfSection, NtReadFile and NTWrite functions, then where I will put the same or i cannot do that sorry i am confused please specify ?
But as I have checked in the hooking approach that for a .txt file read operation with notepad.exe, it doesn’t reached at NtReadFile and NtWriteFile NTDLL API level calls. Please suggest your views.

15

> where I will put the same or i cannot do that sorry i am confused please

specify ?

Put it in the FSD filter, process only paging and non-cached request. FSD
filter is the only possible solution for you, a layered FSD is not
achievable with your current experience( for you is better to start kernel
mode programming from filters ) or buy a commercial layered FSD solution.
Search the archive!


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> If you are saying (talking about hooking approach) that remove
> encryption/decryption logic from NTCreateSection, NtMapViewOfSection,
> NtReadFile and NTWrite functions, then where I will put the same or i
> cannot do that sorry i am confused please specify ?
> But as I have checked in the hooking approach that for a .txt file read
> operation with notepad.exe, it doesn’t reached at NtReadFile and
> NtWriteFile NTDLL API level calls. Please suggest your views.
>

16

Thanks slava for clearing up my doubts but can u throw some light on how to trap the Paging IO or non cached requests. do i have to use some kind of section FileObject->SectionObjectPointers in my program like what i have done as in the hooking code to get the request from the Memory Manager or to do what?

Please Help

Regards
Vaibhav

17

Vaibhav

I think it will help you if you read the documentation in the WDK and seek
to answer you own questions more before you post here. The answers to these
questions are found in the documentation.

Best Wishes
Lyndon

wrote in message news:xxxxx@ntfsd…
> Thanks slava for clearing up my doubts but can u throw some light on how
> to trap the Paging IO or non cached requests. do i have to use some kind
> of section FileObject->SectionObjectPointers in my program like what i
> have done as in the hooking code to get the request from the Memory
> Manager or to do what?
>
> Please Help
>
> Regards
> Vaibhav
>
>
>