How to hook the function IoCallDriver?

hello everyone,
i want to hook the function IoCallDriver() exported by ntosknrl.exe,what
can i do to finish this job?
regards
ding hao


ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/cn

The real question here is will anyone actually answer this post?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shark marian
Sent: Saturday, December 11, 2004 1:23 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to hook the function IoCallDriver?

hello everyone,
i want to hook the function IoCallDriver() exported by
ntosknrl.exe,what can i do to finish this job?
regards
ding hao


与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

I’ll bite … why do you want to do this? This probably one of the most system critical functions that you do not want to go anywhere near.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Saturday, December 11, 2004 4:53 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to hook the function IoCallDriver?

The real question here is will anyone actually answer this post?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shark marian
Sent: Saturday, December 11, 2004 1:23 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to hook the function IoCallDriver?

hello everyone,
i want to hook the function IoCallDriver() exported by
ntosknrl.exe,what can i do to finish this job?
regards
ding hao


与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

because i want to track all the irp that it send to the object,i want
to know all the irp ,so i want to hook the IoCallDriver,and then i can get
all the irp and all the object that receive the irp.


Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn

Whats wrong using for this a classical filter driver ? This is the correct
solution
to your problem, not a fantesist aproach like hooking a kernel API. May I
suggest you learning how NT works internally ?

Dan

----- Original Message -----
From: “shark marian”
To: “Windows System Software Devs Interest List”
Sent: Sunday, December 12, 2004 2:08 PM
Subject: RE:[ntdev] How to hook the function IoCallDriver?

> because i want to track all the irp that it send to the object,i want
> to know all the irp ,so i want to hook the IoCallDriver,and then i can get
> all the irp and all the object that receive the irp.
>
> _________________________________________________________________
> Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

hello Dan Partelly,
may i talk to each other in the msn,my id is xxxxx@hotmail.com,i
will wait for you if you have time.
thanks.


ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com

I assume you are trying to do this for research purposes. I have two ideas
about achieving this. You may want to try if they work :

I am not sure if IoCallDriver is available at the Widows Sevice Dispatch
table. If it is, it may be possible to hook its entry in the service
dispatch table.

Otherwise you may have to patch the export table of Ntoskernel.exe.

From my experiences for this list, hooking is hardly supported so I would
like to obey the common sense:) So I suggest you to ask the watchers if
there exists a documented way.

Regards,

Egemen Tas

http://www.modemwall.com

-------Original Message-------

From: shark marian

Date: 12/12/04 14:10:18

To: Windows System Software Devs Interest List

Subject: RE:[ntdev] How to hook the function IoCallDriver?

because i want to track all the irp that it send to the object,i want

to know all the irp ,so i want to hook the IoCallDriver,and then i can get

all the irp and all the object that receive the irp.


Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@gmail.com

To unsubscribe send a blank email to xxxxx@lists.osr.com

thanks the Partelly.
first i want to know what is the watchers?execuse for my stupid question.
second can we talk online use another way,send email to the ntdev is to
slow?
do you think so.
regards
ding hao


Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn

hello Egemen Tas,
thanks for your reply.
but if you do this irp track,what do you think is the best way to solve
this problem
regards


ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com