Hooking Zw routines in Win2k

NTDEV
1

Hi
I want to write a driver that makes C:\dir1 become D:\dir2. That is all
opertions on C:\dir1 is like on D:\dir2.
I hooked ZwCreateFile, ZwOpenFile… and changed C:\dir1 to D:\dir2 before
calling real Zw routines. This worked, but not with Microsoft Word.
Could you tell my why, please?
By the way, I’d like to know how to allocate user memory from kernel mode.
I read earlier mails in the archive and found ZwAllocateVirtualMemory, but
i failed to call this routine. It returned STATUS_INVALID_HANDLE (I passed
PsGetCurrentProcessId() to it as ProcessHandle). Could you give me an example
on how to do this, please?
Regards,

Bi Cờ Lao

2

You should filter IRP_MJ_CREATE in a file system filter driver and use the STATUS_REPARSE feature.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of pclouds
Sent: Tuesday, January 07, 2003 7:19 PM
To: NT Developers Interest List
Subject: [ntdev] Hooking Zw routines in Win2k

Hi
I want to write a driver that makes C:\dir1 become D:\dir2. That is all
opertions on C:\dir1 is like on D:\dir2.
I hooked ZwCreateFile, ZwOpenFile… and changed C:\dir1 to D:\dir2 before
calling real Zw routines. This worked, but not with Microsoft Word.
Could you tell my why, please?
By the way, I’d like to know how to allocate user memory from kernel mode.
I read earlier mails in the archive and found ZwAllocateVirtualMemory, but
i failed to call this routine. It returned STATUS_INVALID_HANDLE (I passed
PsGetCurrentProcessId() to it as ProcessHandle). Could you give me an example
on how to do this, please?
Regards,

Bi Cờ Lao

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

To get current process ProcessHandle you’ve got to do the following steps.

  1. Get current process object pointer with PsGetCurrentProcess.
  2. Call to ObOpenObjectByPointer to get the handle.

----- Original Message -----
From: “pclouds”
To: “NT Developers Interest List”
Sent: Wednesday, January 08, 2003 5:18 AM
Subject: [ntdev] Hooking Zw routines in Win2k

Hi
I want to write a driver that makes C:\dir1 become D:\dir2. That is all
opertions on C:\dir1 is like on D:\dir2.
I hooked ZwCreateFile, ZwOpenFile… and changed C:\dir1 to D:\dir2 before
calling real Zw routines. This worked, but not with Microsoft Word.
Could you tell my why, please?
By the way, I’d like to know how to allocate user memory from kernel mode.
I read earlier mails in the archive and found ZwAllocateVirtualMemory, but
i failed to call this routine. It returned STATUS_INVALID_HANDLE (I passed
PsGetCurrentProcessId() to it as ProcessHandle). Could you give me an
example
on how to do this, please?
Regards,

Bi Cờ Lao


You are currently subscribed to ntdev as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com