Hi,
Some processes, such as Regmon from Sysinternals, load a kernel driver
in the memory when running (which is Regsys701.Sys in Regmon case)
Is it possible to know when a driver is loaded by only hooking APIs?
I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
CreateService, but never sees when Regsys701.Sys is loaded.
So I guess I am looking at the wrong APIs for this.
Thanks a lot,
Jun
You can do it with PsSetLoadImageNotifyRoutine in the kernel.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jun Koi” wrote in message news:xxxxx@ntdev…
> Hi,
>
> Some processes, such as Regmon from Sysinternals, load a kernel driver
> in the memory when running (which is Regsys701.Sys in Regmon case)
>
> Is it possible to know when a driver is loaded by only hooking APIs?
>
> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
> CreateService, but never sees when Regsys701.Sys is loaded.
> So I guess I am looking at the wrong APIs for this.
>
> Thanks a lot,
> Jun
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4744 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4744 (20100105)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
I think that is possible to do that by hooking API. Finally, it is the
job of the userspace to perform the initial step to load the driver
in.
I prefer userspace hooking because that doesnt involve kernel code,
which is better in several cases.
Do you have any hint?
Many thanks,
Jun
> “Jun Koi” wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> Some processes, such as Regmon from Sysinternals, load a kernel driver
>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>
>> Is it possible to know when a driver is loaded by only hooking APIs?
>>
>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>> CreateService, but never sees when Regsys701.Sys is loaded.
>> So I guess I am looking at the wrong APIs for this.
>>
>> Thanks a lot,
>> Jun
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4744 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4744 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
I can load a driver without any user space intervention, your concept is
flawed.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Jun Koi” wrote in message news:xxxxx@ntdev…
> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>
> I think that is possible to do that by hooking API. Finally, it is the
> job of the userspace to perform the initial step to load the driver
> in.
>
> I prefer userspace hooking because that doesnt involve kernel code,
> which is better in several cases.
>
> Do you have any hint?
>
> Many thanks,
> Jun
>
>
>
>
>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>> Hi,
>>>
>>> Some processes, such as Regmon from Sysinternals, load a kernel driver
>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>
>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>
>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>> So I guess I am looking at the wrong APIs for this.
>>>
>>> Thanks a lot,
>>> Jun
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4744 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4744 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
> I can load a driver without any user space intervention, your concept is
> flawed.
That sounds interesting! Could you explain how to do that without
userspace involved??
Thanks,
J
>
>
> “Jun Koi” wrote in message news:xxxxx@ntdev…
>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>
>> I think that is possible to do that by hooking API. Finally, it is the
>> job of the userspace to perform the initial step to load the driver
>> in.
>>
>> I prefer userspace hooking because that doesnt involve kernel code,
>> which is better in several cases.
>>
>> Do you have any hint?
>>
>> Many thanks,
>> Jun
>>
>>
>>
>>
>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>> Hi,
>>>>
>>>> Some processes, such as Regmon from Sysinternals, load a kernel driver
>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>
>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>
>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>> So I guess I am looking at the wrong APIs for this.
>>>>
>>>> Thanks a lot,
>>>> Jun
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4744 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4744 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Either ZwLoadDriver or ZwSetSystemInformation (a couple of suboptions) will
load drivers into kernel space. This has been true since the beginning of
NT for ZwLoadDriver.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jun Koi” wrote in message news:xxxxx@ntdev…
> On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
>> I can load a driver without any user space intervention, your concept is
>> flawed.
>
> That sounds interesting! Could you explain how to do that without
> userspace involved??
>
> Thanks,
> J
>
>
>>
>>
>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>>
>>> I think that is possible to do that by hooking API. Finally, it is the
>>> job of the userspace to perform the initial step to load the driver
>>> in.
>>>
>>> I prefer userspace hooking because that doesnt involve kernel code,
>>> which is better in several cases.
>>>
>>> Do you have any hint?
>>>
>>> Many thanks,
>>> Jun
>>>
>>>
>>>
>>>
>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>> Hi,
>>>>>
>>>>> Some processes, such as Regmon from Sysinternals, load a kernel driver
>>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>>
>>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>>
>>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>>> So I guess I am looking at the wrong APIs for this.
>>>>>
>>>>> Thanks a lot,
>>>>> Jun
>>>>>
>>>>>
>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>> signature database 4744 (20100105)
>>>>>
>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>
>>>>> http://www.eset.com
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4744 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4745 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
On Tue, Jan 5, 2010 at 11:40 PM, Don Burn wrote:
> Either ZwLoadDriver or ZwSetSystemInformation (a couple of suboptions) will
> load drivers into kernel space. ?This has been true since the beginning of
> NT for ZwLoadDriver.
Interesting!
This means I can hook NtLoadDriver and NtSetSystemInformation in
userspace to get known when a new driver is loaded.
Is that a proper way?
Thanks,
Jun
> “Jun Koi” wrote in message news:xxxxx@ntdev…
>> On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
>>> I can load a driver without any user space intervention, your concept is
>>> flawed.
>>
>> That sounds interesting! Could you explain how to do that without
>> userspace involved??
>>
>> Thanks,
>> J
>>
>>
>>>
>>>
>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>>>
>>>> I think that is possible to do that by hooking API. Finally, it is the
>>>> job of the userspace to perform the initial step to load the driver
>>>> in.
>>>>
>>>> I prefer userspace hooking because that doesnt involve kernel code,
>>>> which is better in several cases.
>>>>
>>>> Do you have any hint?
>>>>
>>>> Many thanks,
>>>> Jun
>>>>
>>>>
>>>>
>>>>
>>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>>> Hi,
>>>>>>
>>>>>> Some processes, such as Regmon from Sysinternals, load a kernel driver
>>>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>>>
>>>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>>>
>>>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>>>> So I guess I am looking at the wrong APIs for this.
>>>>>>
>>>>>> Thanks a lot,
>>>>>> Jun
>>>>>>
>>>>>>
>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>> signature database 4744 (20100105)
>>>>>>
>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>
>>>>>> http://www.eset.com
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>> signature database 4744 (20100105)
>>>>>
>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>
>>>>> http://www.eset.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4745 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4745 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
No NtLoadDriver and NtSetSystemInformation in user space are just
redirectors to the kernel calls, kernel components do not go back up to user
space when they issue these.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jun Koi” wrote in message news:xxxxx@ntdev…
On Tue, Jan 5, 2010 at 11:40 PM, Don Burn wrote:
> Either ZwLoadDriver or ZwSetSystemInformation (a couple of suboptions)
> will
> load drivers into kernel space. This has been true since the beginning of
> NT for ZwLoadDriver.
Interesting!
This means I can hook NtLoadDriver and NtSetSystemInformation in
userspace to get known when a new driver is loaded.
Is that a proper way?
Thanks,
Jun
> “Jun Koi” wrote in message news:xxxxx@ntdev…
>> On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
>>> I can load a driver without any user space intervention, your concept is
>>> flawed.
>>
>> That sounds interesting! Could you explain how to do that without
>> userspace involved??
>>
>> Thanks,
>> J
>>
>>
>>>
>>>
>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>>>
>>>> I think that is possible to do that by hooking API. Finally, it is the
>>>> job of the userspace to perform the initial step to load the driver
>>>> in.
>>>>
>>>> I prefer userspace hooking because that doesnt involve kernel code,
>>>> which is better in several cases.
>>>>
>>>> Do you have any hint?
>>>>
>>>> Many thanks,
>>>> Jun
>>>>
>>>>
>>>>
>>>>
>>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>>> Hi,
>>>>>>
>>>>>> Some processes, such as Regmon from Sysinternals, load a kernel
>>>>>> driver
>>>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>>>
>>>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>>>
>>>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>>>> So I guess I am looking at the wrong APIs for this.
>>>>>>
>>>>>> Thanks a lot,
>>>>>> Jun
>>>>>>
>>>>>>
>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>> signature database 4744 (20100105)
>>>>>>
>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>
>>>>>> http://www.eset.com
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>> signature database 4744 (20100105)
>>>>>
>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>
>>>>> http://www.eset.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4745 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4745 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Information from ESET NOD32 Antivirus, version of virus signature
database 4745 (20100105)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
On Tue, Jan 5, 2010 at 11:56 PM, Don Burn wrote:
> No NtLoadDriver and NtSetSystemInformation in user space are just
> redirectors to the kernel calls, kernel components do not go back up to user
> space when they issue these.
I see. But my problem is that I want to monitor drivers loading from
userspace, not from inside kernel.
So hooking NtLoadDriver and NtSetSystemInformation seem enough for my purpose.
Thanks,
J
>
> “Jun Koi” wrote in message news:xxxxx@ntdev…
> On Tue, Jan 5, 2010 at 11:40 PM, Don Burn wrote:
>> Either ZwLoadDriver or ZwSetSystemInformation (a couple of suboptions)
>> will
>> load drivers into kernel space. This has been true since the beginning of
>> NT for ZwLoadDriver.
>
> Interesting!
>
> This means I can hook NtLoadDriver and NtSetSystemInformation in
> userspace to get known when a new driver is loaded.
> Is that a proper way?
>
> Thanks,
> Jun
>
>
>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>> On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
>>>> I can load a driver without any user space intervention, your concept is
>>>> flawed.
>>>
>>> That sounds interesting! Could you explain how to do that without
>>> userspace involved??
>>>
>>> Thanks,
>>> J
>>>
>>>
>>>>
>>>>
>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>>>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>>>>
>>>>> I think that is possible to do that by hooking API. Finally, it is the
>>>>> job of the userspace to perform the initial step to load the driver
>>>>> in.
>>>>>
>>>>> I prefer userspace hooking because that doesnt involve kernel code,
>>>>> which is better in several cases.
>>>>>
>>>>> Do you have any hint?
>>>>>
>>>>> Many thanks,
>>>>> Jun
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>>>> Hi,
>>>>>>>
>>>>>>> Some processes, such as Regmon from Sysinternals, load a kernel
>>>>>>> driver
>>>>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>>>>
>>>>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>>>>
>>>>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>>>>> So I guess I am looking at the wrong APIs for this.
>>>>>>>
>>>>>>> Thanks a lot,
>>>>>>> Jun
>>>>>>>
>>>>>>>
>>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>>> signature database 4744 (20100105)
>>>>>>>
>>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>>
>>>>>>> http://www.eset.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>> signature database 4744 (20100105)
>>>>>>
>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>
>>>>>> http://www.eset.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> NTDEV is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>>
>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>> signature database 4745 (20100105)
>>>>>
>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>
>>>>> http://www.eset.com
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4745 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4745 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature
> database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>This means I can hook NtLoadDriver and NtSetSystemInformation in
You cannot. These calls can be executed by SYSENTER or INT 2E inside some interesting DLL.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
On Fri, Jan 8, 2010 at 7:01 AM, Maxim S. Shatskih
wrote:
>>This means I can hook NtLoadDriver and NtSetSystemInformation in
>
> You cannot. These calls can be executed by SYSENTER or INT 2E inside some interesting DLL.
You mean these API can be executed from inside kernel?
Thanks,
J
No, he means that someone can write the assembly in user mode that calls into the kernel directly, without using the (hooked by you) api
d
-----Original Message-----
From: Jun Koi
Sent: Thursday, January 07, 2010 8:31 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Get notified when a kernel driver is loaded?
On Fri, Jan 8, 2010 at 7:01 AM, Maxim S. Shatskih
wrote:
>>This means I can hook NtLoadDriver and NtSetSystemInformation in
>
> You cannot. These calls can be executed by SYSENTER or INT 2E inside some interesting DLL.
You mean these API can be executed from inside kernel?
Thanks,
J
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer