Hi all !
I need a help…
I test the following example:
http://www.velasco.com.br/hooksys.zip
They works fine in Windows 2000 and XP with Service Pack 1… but crash in
XP Service Pack 2… Why dont work fine ?
This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep and
Borate” book…
Any help is welcome…
Thank you
Marcos
Well it is a lousy example to use for a lot of reasons:
Hooking in general is a bad idea, this has been discussed on the
NTDEV forum many times, for instance there is no safe way to unhook since
someone could hook over you.
This code does a poor job of hooking, since it uses assembler
instructions to disable/enable interrupts which is not good protection on a
MP system.
What is your real goal, if you want to catch CreateFile calls you need a
file system filter driver.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Marcos Velasco - UOL” wrote in message
news:xxxxx@ntfsd…
> Hi all !
> I need a help…
>
> I test the following example:
> http://www.velasco.com.br/hooksys.zip
>
> They works fine in Windows 2000 and XP with Service Pack 1… but crash in
> XP Service Pack 2… Why dont work fine ?
>
> This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep and
> Borate” book…
>
> Any help is welcome…
>
> Thank you
>
> Marcos
>
>
>
Hi !
Thanks for your explanation, but the problem is: “Why this sample works
fine in Windows 2000 and XP with Service Pack 1” and crash in “XP Service
Pack 2” ?
Thank you
Marcos
----- Original Message -----
From: “Don Burn”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Thursday, October 21, 2004 9:38 AM
Subject: Re:[ntfsd] Hooksys example…
> Well it is a lousy example to use for a lot of reasons:
>
> 1. Hooking in general is a bad idea, this has been discussed on the
> NTDEV forum many times, for instance there is no safe way to unhook since
> someone could hook over you.
>
> 2. This code does a poor job of hooking, since it uses assembler
> instructions to disable/enable interrupts which is not good protection on
a
> MP system.
>
> What is your real goal, if you want to catch CreateFile calls you need a
> file system filter driver.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
> “Marcos Velasco - UOL” wrote in message
> news:xxxxx@ntfsd…
> > Hi all !
> > I need a help…
> >
> > I test the following example:
> > http://www.velasco.com.br/hooksys.zip
> >
> > They works fine in Windows 2000 and XP with Service Pack 1… but crash
in
> > XP Service Pack 2… Why dont work fine ?
> >
> > This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep
and
> > Borate” book…
> >
> > Any help is welcome…
> >
> > Thank you
> >
> > Marcos
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@uol.com.br
> To unsubscribe send a blank email to xxxxx@lists.osr.com
try
_asm mov eax, cr0
_asm and eax, NOT 10000H
_asm mov cr0, eax
instead of _asm cli
and
_asm mov eax, cr0
_asm or eax, 10000H
_asm mov cr0, eax
instead of _asm sti
If then also not working,debug it. -
Regards,
Naren.
Well you haven’t said how it was failing in SP2. I know Microsoft has been
working to put code in to stop this type of stuff, so it could be you hit
one of the improvments. Note; the new assembler code is offerred on this
list, will still cause problems.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Marcos Velasco - UOL” wrote in message
news:xxxxx@ntfsd…
> Hi !
>
> Thanks for your explanation, but the problem is: “Why this sample works
> fine in Windows 2000 and XP with Service Pack 1” and crash in “XP Service
> Pack 2” ?
>
> Thank you
>
> Marcos
>
>
> ----- Original Message -----
> From: “Don Burn”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Thursday, October 21, 2004 9:38 AM
> Subject: Re:[ntfsd] Hooksys example…
>
>
> > Well it is a lousy example to use for a lot of reasons:
> >
> > 1. Hooking in general is a bad idea, this has been discussed on
the
> > NTDEV forum many times, for instance there is no safe way to unhook
since
> > someone could hook over you.
> >
> > 2. This code does a poor job of hooking, since it uses assembler
> > instructions to disable/enable interrupts which is not good protection
on
> a
> > MP system.
> >
> > What is your real goal, if you want to catch CreateFile calls you need a
> > file system filter driver.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> >
> >
> > “Marcos Velasco - UOL” wrote in message
> > news:xxxxx@ntfsd…
> > > Hi all !
> > > I need a help…
> > >
> > > I test the following example:
> > > http://www.velasco.com.br/hooksys.zip
> > >
> > > They works fine in Windows 2000 and XP with Service Pack 1… but
crash
> in
> > > XP Service Pack 2… Why dont work fine ?
> > >
> > > This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep
> and
> > > Borate” book…
> > >
> > > Any help is welcome…
> > >
> > > Thank you
> > >
> > > Marcos
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@uol.com.br
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
Let me emphasize what Don said: Hooking is not a good idea in the general
case. If you’re doing it to investigate something in your lab, feel free.
But avoid hooking in product code or even in code you distribute widely.
–
James Antognini
Windows DDK Support
This posting is provided “AS IS” with no warranties, and confers no rights.
“Don Burn” wrote in message news:xxxxx@ntfsd…
> Well it is a lousy example to use for a lot of reasons:
>
> 1. Hooking in general is a bad idea, this has been discussed on the
> NTDEV forum many times, for instance there is no safe way to unhook since
> someone could hook over you.
>
> 2. This code does a poor job of hooking, since it uses assembler
> instructions to disable/enable interrupts which is not good protection on
> a
> MP system.
>
> What is your real goal, if you want to catch CreateFile calls you need a
> file system filter driver.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
> “Marcos Velasco - UOL” wrote in message
> news:xxxxx@ntfsd…
>> Hi all !
>> I need a help…
>>
>> I test the following example:
>> http://www.velasco.com.br/hooksys.zip
>>
>> They works fine in Windows 2000 and XP with Service Pack 1… but crash
>> in
>> XP Service Pack 2… Why dont work fine ?
>>
>> This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep
>> and
>> Borate” book…
>>
>> Any help is welcome…
>>
>> Thank you
>>
>> Marcos
>>
>>
>>
>
>
>
Hi !
Thank you for code… works fine now…
Regards,
Marcos
----- Original Message -----
From: “narendra.bhongale”
> To: “Windows File Systems Devs Interest List”
> Sent: Thursday, October 21, 2004 9:56 AM
> Subject: RE: [ntfsd] Hooksys example…
>
>
> try
>
> _asm mov eax, cr0
> _asm and eax, NOT 10000H
> _asm mov cr0, eax
>
>
> instead of _asm cli
>
> and
>
> _asm mov eax, cr0
> _asm or eax, 10000H
> _asm mov cr0, eax
>
> instead of _asm sti
>
>
>
> If then also not working,debug it. -
>
> Regards,
> Naren.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@uol.com.br
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Hi !
Thank you for the information… works fine…
I dont have a large experience with device-drivers, and I download and
install Windows 2003 IFS Kit… I need start study now…
Anyone have anothers “tips and tricks” for a begginer in device-driver
development ? A many years ago, I check FILEMON source code… but I
thing this is not a good way, because FILEMON have many internals
problems… with Norton Antivirus and anothers drivers too…
Anyone have a simple “file system filter driver” example for sent to me ?
Thank you
Marcos
----- Original Message -----
From: “Pankaj Garg”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Thursday, October 21, 2004 5:27 PM
> Subject: Re:[ntfsd] Hooksys example…
>
>
> > You should attach a kernel debugger and tell us the bugcheck code.
> >
> > Can this be related to the protection bits on the pages? I heard
sometime
> > back that Regmon stopped working due to some memory protection changes
in
> > XPSP2 but Mark Russinovich found a way to get around the problem. The
> > assembly code given in previous post on this thread simply removes the
> > disables/enables the protection bits on the processor.
> >
> > // to disable Write protection
> > _asm mov eax, cr0
> > _asm and eax, NOT 10000H
> > _asm mov cr0, eax
> >
> > // To enable write protection
> > MOV EAX, CR0
> > OR EAX, 10000H
> > MOV CR0, EAX
> >
> > You can try this code and see if that helps.
> >
> > PS: I don’t think this is meant to be a replacement for _asm cli and
_asm
> > sti, instead you should first do an _asm cli then disable protection,
then
> > change the descriptor table, enable protection and then finally enable
> > interrupts.
> >
> > PPS: Like others, i agree hooking is a bad approach.
> >
> > –
> > Pankaj Garg
> > This posting is provided “AS IS” with no warranties and confers no
rights.
> >
> >
> > “Marcos Velasco - UOL” wrote in message
> > news:xxxxx@ntfsd…
> > > Hi all !
> > > I need a help…
> > >
> > > I test the following example:
> > > http://www.velasco.com.br/hooksys.zip
> > >
> > > They works fine in Windows 2000 and XP with Service Pack 1… but
crash
> in
> > > XP Service Pack 2… Why dont work fine ?
> > >
> > > This example is from “Undocumented Windows NT - Prassad Dabak, Sandeep
> and
> > > Borate” book…
> > >
> > > Any help is welcome…
> > >
> > > Thank you
> > >
> > > Marcos
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@uol.com.br
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>