All:
I’m attempting to hook several APIs (ZWMapViewOfSection, …) in my
driver (XP & 2000). I’m looking for some good documentation (I know that’s
a laugh but thought I’d say it anyway) on how to accomplish this. In the
absense of that, what’re the steps necessary? Any push in the right
direction is appreciated.
Thanks,
Chuck
First why do you want to do this? Second realize there are
a number of problems doing this:
a. The calling sequence can be different, either SYSENTER
or an INT.
b. The possition in the table can change depending on the
kernel build.
c. Starting with XP the tables memory is write protected.
If possible come up with another way. If you cannot see if you can
find the sources to regmon for an example.
Don Burn
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “chuck m” <chuck.monarch>
To: “File Systems Developers”
Sent: Thursday, March 06, 2003 2:52 PM
Subject: [ntfsd] Hooking kernel APIs
> All:
> I’m attempting to hook several APIs (ZWMapViewOfSection, …) in my
> driver (XP & 2000). I’m looking for some good documentation (I know that’s
> a laugh but thought I’d say it anyway) on how to accomplish this. In the
> absense of that, what’re the steps necessary? Any push in the right
> direction is appreciated.
>
> Thanks,
>
> Chuck
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com</chuck.monarch>
There are untold messages in the NTFSD list archives on this topic… Do
a search at http://www.osr.com/search_main.shtml.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of chuck m
Sent: Thursday, March 06, 2003 11:52 AM
To: File Systems Developers
Subject: [ntfsd] Hooking kernel APIsAll:
I’m attempting to hook several APIs (ZWMapViewOfSection,
…) in my driver (XP & 2000). I’m looking for some good
documentation (I know that’s a laugh but thought I’d say it
anyway) on how to accomplish this. In the absense of that,
what’re the steps necessary? Any push in the right direction
is appreciated.Thanks,
Chuck
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
BTW, if you release a product that hooks the APIs, it screws your customer.
I recently dealt with a customer that had an A-V ‘filter’ that hooked kernel
APIs. Because the symptoms of the problem pointed at an OS component, we
asked Microsoft tech support to get involved. MS tech support made it very
clear: remove the driver hooking the kernel and they would help troubleshoot
the problem, otherwise they could/would not offer support.
Mike
----- Original Message -----
From: “Don Burn”
To: “File Systems Developers”
Sent: Thursday, March 06, 2003 3:16 PM
Subject: [ntfsd] Re: Hooking kernel APIs
> First why do you want to do this? Second realize there are
> a number of problems doing this:
>
> a. The calling sequence can be different, either SYSENTER
> or an INT.
> b. The possition in the table can change depending on the
> kernel build.
> c. Starting with XP the tables memory is write protected.
>
> If possible come up with another way. If you cannot see if you can
> find the sources to regmon for an example.
>
> Don Burn
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> ----- Original Message -----
> From: “chuck m” <chuck.monarch>
> To: “File Systems Developers”
> Sent: Thursday, March 06, 2003 2:52 PM
> Subject: [ntfsd] Hooking kernel APIs
>
>
> > All:
> > I’m attempting to hook several APIs (ZWMapViewOfSection, …) in my
> > driver (XP & 2000). I’m looking for some good documentation (I know
that’s
> > a laugh but thought I’d say it anyway) on how to accomplish this. In the
> > absense of that, what’re the steps necessary? Any push in the right
> > direction is appreciated.
> >
> > Thanks,
> >
> > Chuck
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@gte.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></chuck.monarch>