On Tue, Jan 5, 2010 at 11:56 PM, Don Burn wrote:
> No NtLoadDriver and NtSetSystemInformation in user space are just
> redirectors to the kernel calls, kernel components do not go back up to user
> space when they issue these.
I see. But my problem is that I want to monitor drivers loading from
userspace, not from inside kernel.
So hooking NtLoadDriver and NtSetSystemInformation seem enough for my purpose.
Thanks,
J
>
> “Jun Koi” wrote in message news:xxxxx@ntdev…
> On Tue, Jan 5, 2010 at 11:40 PM, Don Burn wrote:
>> Either ZwLoadDriver or ZwSetSystemInformation (a couple of suboptions)
>> will
>> load drivers into kernel space. This has been true since the beginning of
>> NT for ZwLoadDriver.
>
> Interesting!
>
> This means I can hook NtLoadDriver and NtSetSystemInformation in
> userspace to get known when a new driver is loaded.
> Is that a proper way?
>
> Thanks,
> Jun
>
>
>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>> On Tue, Jan 5, 2010 at 11:30 PM, Don Burn wrote:
>>>> I can load a driver without any user space intervention, your concept is
>>>> flawed.
>>>
>>> That sounds interesting! Could you explain how to do that without
>>> userspace involved??
>>>
>>> Thanks,
>>> J
>>>
>>>
>>>>
>>>>
>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>> On Tue, Jan 5, 2010 at 10:25 PM, Don Burn wrote:
>>>>>> You can do it with PsSetLoadImageNotifyRoutine in the kernel.
>>>>>
>>>>> I think that is possible to do that by hooking API. Finally, it is the
>>>>> job of the userspace to perform the initial step to load the driver
>>>>> in.
>>>>>
>>>>> I prefer userspace hooking because that doesnt involve kernel code,
>>>>> which is better in several cases.
>>>>>
>>>>> Do you have any hint?
>>>>>
>>>>> Many thanks,
>>>>> Jun
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> “Jun Koi” wrote in message news:xxxxx@ntdev…
>>>>>>> Hi,
>>>>>>>
>>>>>>> Some processes, such as Regmon from Sysinternals, load a kernel
>>>>>>> driver
>>>>>>> in the memory when running (which is Regsys701.Sys in Regmon case)
>>>>>>>
>>>>>>> Is it possible to know when a driver is loaded by only hooking APIs?
>>>>>>>
>>>>>>> I tried to hook at 3 APIs: LoadLibraryEx, OpenService and
>>>>>>> CreateService, but never sees when Regsys701.Sys is loaded.
>>>>>>> So I guess I am looking at the wrong APIs for this.
>>>>>>>
>>>>>>> Thanks a lot,
>>>>>>> Jun
>>>>>>>
>>>>>>>
>>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>>> signature database 4744 (20100105)
>>>>>>>
>>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>>
>>>>>>> http://www.eset.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>>> signature database 4744 (20100105)
>>>>>>
>>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>>
>>>>>> http://www.eset.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> NTDEV is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>>
>>>>> Information from ESET NOD32 Antivirus, version of virus
>>>>> signature database 4745 (20100105)
>>>>>
>>>>> The message was checked by ESET NOD32 Antivirus.
>>>>>
>>>>> http://www.eset.com
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> Information from ESET NOD32 Antivirus, version of virus
>>>> signature database 4745 (20100105)
>>>>
>>>> The message was checked by ESET NOD32 Antivirus.
>>>>
>>>> http://www.eset.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>>> Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4745 (20100105)
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4745 (20100105)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature
> database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4745 (20100105)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>