Gentlefolk
It might be useful while our attention is on hooking system services to
collate a list of products known or suspected to hook system services. So
here is what I recall seeing in the thread(s) so far …
Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIce
Anyone care to add to the list?
Cheers
Lyndon
Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIce
Trust-No-Exe (Beyond Logic)
FileMon (Sysinternals)
Ah, yes, I missed Trust-No-Exe! AFAIK FileMon does not [did not] use sytem
service hooks.
I could also add to the list …
strace (Bindview/Razor)
“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
>
> Regmon (Sysinternals)
> TrueTime, TrueCoverage (Compuware)
> BoundsChecker (Compuware)
> SoftIce
> Trust-No-Exe (Beyond Logic)
> FileMon (Sysinternals)
>
>
You forgot Windbg and DriverVerifier. 
I also suspect - but I can’t put my hand on the fire for it - that some
graphics and video drivers hook stuff too. The OpenGL GLTrace program also
hooks, so does the IBM’s ZAPdb OpenGL debugger.
Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Lyndon J Clarke
Sent: Wednesday, January 28, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Known or suspected system service hookers …
Gentlefolk
It might be useful while our attention is on hooking system services to
collate a list of products known or suspected to hook system services. So
here is what I recall seeing in the thread(s) so far …
Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIce
Anyone care to add to the list?
Cheers
Lyndon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
Compuware products uses an alternate method of hooking “insert whatever
here”, completly different by
products like regmon.
Dan
----- Original Message -----
From: “Lyndon J Clarke”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 28, 2004 5:56 PM
Subject: [ntdev] Known or suspected system service hookers …
> Gentlefolk
>
> It might be useful while our attention is on hooking system services to
> collate a list of products known or suspected to hook system services. So
> here is what I recall seeing in the thread(s) so far …
>
> Regmon (Sysinternals)
> TrueTime, TrueCoverage (Compuware)
> BoundsChecker (Compuware)
> SoftIce
>
> Anyone care to add to the list?
>
> Cheers
> Lyndon
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Well driver verifier is a different type of hook, since it attaches driver’s
import table, not a system table. This is a lot less impact, and since it
requires the hookers to be there till the hooked driver unloads, is somewhat
different than hooking system call table, or patching the kernel.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Moreira, Alberto”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 28, 2004 11:19 AM
Subject: RE: [ntdev] Known or suspected system service hookers …
> You forgot Windbg and DriverVerifier.
>
> I also suspect - but I can’t put my hand on the fire for it - that some
> graphics and video drivers hook stuff too. The OpenGL GLTrace program also
> hooks, so does the IBM’s ZAPdb OpenGL debugger.
>
> Alberto.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Lyndon J Clarke
> Sent: Wednesday, January 28, 2004 10:57 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Known or suspected system service hookers …
>
>
> Gentlefolk
>
> It might be useful while our attention is on hooking system services to
> collate a list of products known or suspected to hook system services. So
> here is what I recall seeing in the thread(s) so far …
>
> Regmon (Sysinternals)
> TrueTime, TrueCoverage (Compuware)
> BoundsChecker (Compuware)
> SoftIce
>
> Anyone care to add to the list?
>
> Cheers
> Lyndon
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only. It
> contains information that may be confidential. Unless you are the named
> addressee or an authorized designee, you may not copy or use it, or
disclose
> it to anyone else. If you received it in error please notify us
immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
don’t forget the AV community
Duane
Moreira, Alberto wrote:
You forgot Windbg and DriverVerifier.
I also suspect - but I can’t put my hand on the fire for it - that some
graphics and video drivers hook stuff too. The OpenGL GLTrace program also
hooks, so does the IBM’s ZAPdb OpenGL debugger.Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Lyndon J Clarke
Sent: Wednesday, January 28, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Known or suspected system service hookers …Gentlefolk
It might be useful while our attention is on hooking system services to
collate a list of products known or suspected to hook system services. So
here is what I recall seeing in the thread(s) so far …Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIceAnyone care to add to the list?
Cheers
Lyndon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.comThe contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ouch!, now I’m stumped …
-prokash
-----Original Message-----
From: Duane Souder [mailto:xxxxx@cisco.com]
Sent: Wednesday, January 28, 2004 8:50 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Known or suspected system service hookers …
don’t forget the AV community
Duane
Moreira, Alberto wrote:
You forgot Windbg and DriverVerifier.
I also suspect - but I can’t put my hand on the fire for it - that some
graphics and video drivers hook stuff too. The OpenGL GLTrace program
also hooks, so does the IBM’s ZAPdb OpenGL debugger.Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Lyndon J Clarke
Sent: Wednesday, January 28, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Known or suspected system service hookers …Gentlefolk
It might be useful while our attention is on hooking system services to
collate a list of products known or suspected to hook system services.
So here is what I recall seeing in the thread(s) so far …Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIceAnyone care to add to the list?
Cheers
Lyndon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.comThe contents of this e-mail are intended for the named addressee only.
It contains information that may be confidential. Unless you are the
named addressee or an authorized designee, you may not copy or use it,
or disclose it to anyone else. If you received it in error please
notify us immediately and then destroy it.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
In the AV community there may be some people doing hooking,
but there are many AV solutions without any ‘dirty’ hook at all !
Inaki.
-----Mensaje original-----
De: Duane Souder [mailto:xxxxx@cisco.com]
Enviado el: mi?rcoles, 28 de enero de 2004 17:50
Para: Windows System Software Devs Interest List
Asunto: Re: [ntdev] Known or suspected system service hookers …
don’t forget the AV community
Duane
Moreira, Alberto wrote:
You forgot Windbg and DriverVerifier.
I also suspect - but I can’t put my hand on the fire for it - that some
graphics and video drivers hook stuff too. The OpenGL GLTrace program also
hooks, so does the IBM’s ZAPdb OpenGL debugger.Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Lyndon J Clarke
Sent: Wednesday, January 28, 2004 10:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Known or suspected system service hookers …Gentlefolk
It might be useful while our attention is on hooking system services to
collate a list of products known or suspected to hook system services. So
here is what I recall seeing in the thread(s) so far …Regmon (Sysinternals)
TrueTime, TrueCoverage (Compuware)
BoundsChecker (Compuware)
SoftIceAnyone care to add to the list?
Cheers
Lyndon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.comThe contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or
disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com
So what? Below are lab testing tools, never intended for production
machines. They can use anything theoretically possible to do their job -
hooking and so on.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Lyndon J Clarke”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 28, 2004 6:56 PM
Subject: [ntdev] Known or suspected system service hookers …
> Gentlefolk
>
> It might be useful while our attention is on hooking system services to
> collate a list of products known or suspected to hook system services. So
> here is what I recall seeing in the thread(s) so far …
>
> Regmon (Sysinternals)
> TrueTime, TrueCoverage (Compuware)
> BoundsChecker (Compuware)
> SoftIce
>
> Anyone care to add to the list?
>
> Cheers
> Lyndon
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com