hook kernel services

OSR_Community_User · September 30, 2001, 7:34am

I want to install a hook such that whenever an app is started my driver
gets to know first. Should I hook the _PELDR_LoadModule /
_PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
similar driver on NT??
thanks
kudrt

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 1, 2001, 4:30am

Whenever an app is started, an EPROCESS object is created in the Executive.
To do this the NtCreateProcess() API is used. Hook that function. You can
find a good example about function hooking at www.sysinternals.com (see the
Regisry Monitor).

Matteo
----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Sunday, September 30, 2001 7:30 AM
Subject: [ntdev] hook kernel services

> I want to install a hook such that whenever an app is started my driver
> gets to know first. Should I hook the _PELDR_LoadModule /
> _PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
> similar driver on NT??
> thanks
> kudrt
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 1, 2001, 5:46am

I have a similar problem, but in detail. I have to hook the objects getting
created when any (kernel) object is created, like Semaphore, Mutex, etc.,
Please can someone throw some light on this.

Thanks
Pars

-----Original Message-----
From: Matteo Pelati [mailto:xxxxx@dolce.it]
Sent: Monday, October 01, 2001 1:57 PM
To: NT Developers Interest List
Subject: [ntdev] Re: hook kernel services

Whenever an app is started, an EPROCESS object is created in the Executive.
To do this the NtCreateProcess() API is used. Hook that function. You can
find a good example about function hooking at www.sysinternals.com (see the
Regisry Monitor).

Matteo
----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Sunday, September 30, 2001 7:30 AM
Subject: [ntdev] hook kernel services

> I want to install a hook such that whenever an app is started my driver
> gets to know first. Should I hook the _PELDR_LoadModule /
> _PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
> similar driver on NT??
> thanks
> kudrt
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@Satyam.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 1, 2001, 5:49am

For NT use PsSetCreateProcessNotifyRoutine, it registers a driver-supplied
callback that is subsequently notified whenever a process is created or
deleted.

For 9x/ME, process BEGIN_PM_APP or/and CREATE_VM control messages.

Regards, Vadim

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@yahoo.com
Sent: Sunday, September 30, 2001 7:31 AM
To: NT Developers Interest List
Subject: [ntdev] hook kernel services

I want to install a hook such that whenever an app is started my driver
gets to know first. Should I hook the _PELDR_LoadModule /
_PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
similar driver on NT??
thanks
kudrt

You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 1, 2001, 8:00am

Kernel objects such as Mutexes, Events or sempaphores are initialized using
specific kernel mode functions (KeInitializeMutex, KeItialize…, etc.). Try
hooking those functions using the same technique.

Matteo

----- Original Message -----
From: “Parswanath_Dhanadevan”
To: “NT Developers Interest List”
Sent: Monday, October 01, 2001 11:39 AM
Subject: [ntdev] Re: hook kernel services

> I have a similar problem, but in detail. I have to hook the objects
getting
> created when any (kernel) object is created, like Semaphore, Mutex, etc.,
> Please can someone throw some light on this.
>
> Thanks
> Pars
>
> -----Original Message-----
> From: Matteo Pelati [mailto:xxxxx@dolce.it]
> Sent: Monday, October 01, 2001 1:57 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: hook kernel services
>
>
> Whenever an app is started, an EPROCESS object is created in the
Executive.
> To do this the NtCreateProcess() API is used. Hook that function. You can
> find a good example about function hooking at www.sysinternals.com (see
the
> Regisry Monitor).
>
> Matteo
> ----- Original Message -----
> From:
> To: “NT Developers Interest List”
> Sent: Sunday, September 30, 2001 7:30 AM
> Subject: [ntdev] hook kernel services
>
>
> > I want to install a hook such that whenever an app is started my driver
> > gets to know first. Should I hook the _PELDR_LoadModule /
> > _PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement
a
> > similar driver on NT??
> > thanks
> > kudrt
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@dolce.it
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@Satyam.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Don_Burn_1 · October 1, 2001, 8:07am

Look at PsSetCreateProcessNotifyRoutine and
PsSetLoadImageNotifyRoutine in the DDK.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Sunday, September 30, 2001 7:30 AM
Subject: [ntdev] hook kernel services

> I want to install a hook such that whenever an app is started my driver
> gets to know first. Should I hook the _PELDR_LoadModule /
> _PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
> similar driver on NT??
> thanks
> kudrt
>
> —
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 1, 2001, 1:06pm

Or you can use the preffered way documented in W2K DDK
PsSetCreateProcessNotifyRoutine. This function registers or
removes the driver notification callback that is called when
the first thread of the new process is being created (called
with the third argument Create = TRUE), or when the last
thread of the process is terminating (called with Create = FALSE).

I recommend using of this technique and not hacking the
service table - this is the case when such hack can be avoided.
But I agree that there are some necessary hacks, of course.

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
Sent: Monday, October 01, 2001 10:27 AM
To: NT Developers Interest List
Subject: [ntdev] Re: hook kernel services

Whenever an app is started, an EPROCESS object is created in the Executive.
To do this the NtCreateProcess() API is used. Hook that function. You can
find a good example about function hooking at www.sysinternals.com (see the
Regisry Monitor).

Matteo
----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Sunday, September 30, 2001 7:30 AM
Subject: [ntdev] hook kernel services

> I want to install a hook such that whenever an app is started my driver
> gets to know first. Should I hook the _PELDR_LoadModule /
> _PELDR_LoadModuleEx or get the Begin_PM_App message. How do I implement a
> similar driver on NT??
> thanks
> kudrt
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com