Problem of hooking by InterlockedExchange

NTDEV
1

Hi,
I am trying to support a remote printer by hooking IRP_MJ functions.
I am using “InterlockedExchange” function to place my function in place of the default one.

But the problem comes after that. I am just able to capture data. When ever I am sending captured data by TDI (TCP/IP) it hangs. I am not even able to store information into a file.

The code segment follows.

OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
if(OldIrpMjReadFunction)
InterlockedExchange((PLONG)&driverObj->MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);

Please help me.
Any help will be appreciated.

Regards,
Barun

2

What device are you hooking?
Why are you hooking instead of filtering?
What is the IRQL when your NewIrpMjReadFunction is called?
What does your NewIrpMjReadFunction actually do?
Have you tried stepping through your code with a debugger?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-305551-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, November 09, 2007 4:18 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem of hooking by InterlockedExchange

Hi,
I am trying to support a remote printer by hooking IRP_MJ functions.
I am using “InterlockedExchange” function to place my function in place
of the default one.

But the problem comes after that. I am just able to capture data. When
ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
even able to store information into a file.

The code segment follows.

OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
if(OldIrpMjReadFunction)
InterlockedExchange((PLONG)&driverObj-
>MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);

Please help me.
Any help will be appreciated.

Regards,
Barun

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

> -----Original Message-----

From: xxxxx@lists.osr.com [mailto:bounce-305551-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, November 09, 2007 4:18 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem of hooking by InterlockedExchange

Hi,
I am trying to support a remote printer by hooking IRP_MJ functions.
I am using “InterlockedExchange” function to place my function in place
of the default one.

But the problem comes after that. I am just able to capture data. When
ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
even able to store information into a file.

The code segment follows.

OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
if(OldIrpMjReadFunction)
InterlockedExchange((PLONG)&driverObj-
>MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);

[PCAUSA] Those lines of code taken by themselves are OK.

The problem lies elsewhere.

Use the debugger to see if your NewIrpMjReadFunction called?
Use the debugger to see why the system hangs.

Thomas F. Divine

Please help me.
Any help will be appreciated.

Regards,
Barun

4

Everybody assumes it’s 32bit code…

Thomas F. Divine wrote:

> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-305551-
> xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> Sent: Friday, November 09, 2007 4:18 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Problem of hooking by InterlockedExchange
>
> Hi,
> I am trying to support a remote printer by hooking IRP_MJ functions.
> I am using “InterlockedExchange” function to place my function in place
> of the default one.
>
> But the problem comes after that. I am just able to capture data. When
> ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
> even able to store information into a file.
>
> The code segment follows.
>
> OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
> if(OldIrpMjReadFunction)
> InterlockedExchange((PLONG)&driverObj-
>
>> MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);
>>
[PCAUSA] Those lines of code taken by themselves are OK.

The problem lies elsewhere.

Use the debugger to see if your NewIrpMjReadFunction called?
Use the debugger to see why the system hangs.

Thomas F. Divine

> Please help me.
> Any help will be appreciated.
>
> Regards,
> Barun
>
>

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

> -----Original Message-----

From: xxxxx@lists.osr.com [mailto:bounce-305579-
xxxxx@lists.osr.com] On Behalf Of Andrei Zlate-Podani
Sent: Friday, November 09, 2007 9:44 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Problem of hooking by InterlockedExchange

Everybody assumes it’s 32bit code…

[PCAUSA] You are right. The code should look like this for compatibility with x64:

OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];

if (OldIrpMjReadFunction )
InterlockedExchangePointer(
(PVOID )& driverObj->MajorFunction[IRP_MJ_READ],
(PVOID )NewIrpMjReadFunction
);

But, that’s almost certainly not the OP’s problem.

Thomas

Thomas F. Divine wrote:
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-305551-
>> xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
>> Sent: Friday, November 09, 2007 4:18 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Problem of hooking by InterlockedExchange
>>
>> Hi,
>> I am trying to support a remote printer by hooking IRP_MJ functions.
>> I am using “InterlockedExchange” function to place my function in
place
>> of the default one.
>>
>> But the problem comes after that. I am just able to capture data.
When
>> ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
>> even able to store information into a file.
>>
>> The code segment follows.
>>
>> OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
>> if(OldIrpMjReadFunction)
>> InterlockedExchange((PLONG)&driverObj-
>>
>>> MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);
>>>
> [PCAUSA] Those lines of code taken by themselves are OK.
>
> The problem lies elsewhere.
>
> Use the debugger to see if your NewIrpMjReadFunction called?
> Use the debugger to see why the system hangs.
>
> Thomas F. Divine
>
>
>> Please help me.
>> Any help will be appreciated.
>>
>> Regards,
>> Barun
>>
>>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
>

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

xxxxx@gmail.com wrote:

I am trying to support a remote printer by hooking IRP_MJ functions.

Although other replies have dealt with the details, I am still boggled
by this statement. I would love to have listened in on the
brainstorming session that started out “we need to support a remote
printer”, and eventually came to the conclusion that the best solution
was to hook the dispatch table for some existing driver.

The NT printer driver model has well-established, well-used, and
well-tested methods for talking to printers over a network. Did you
even consider any of those?

Even without sharing, there are several protocols for talking to
networked printers, again supported by the standard operating system.
There must be a half dozen mechanisms that should have been explored
before exploring the dark side.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

7

We are trying to hook in URB level. Basically the idea is to catch
URBs in server and send to client( where real device is present).
It is USB over IP in windows OS.

On Nov 10, 2007 2:02 AM, Tim Roberts wrote:
> xxxxx@gmail.com wrote:
> > I am trying to support a remote printer by hooking IRP_MJ functions.
> >
>
> Although other replies have dealt with the details, I am still boggled
> by this statement. I would love to have listened in on the
> brainstorming session that started out “we need to support a remote
> printer”, and eventually came to the conclusion that the best solution
> was to hook the dispatch table for some existing driver.
>
> The NT printer driver model has well-established, well-used, and
> well-tested methods for talking to printers over a network. Did you
> even consider any of those?
>
> Even without sharing, there are several protocols for talking to
> networked printers, again supported by the standard operating system.
> There must be a half dozen mechanisms that should have been explored
> before exploring the dark side.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


Barun Kumar Parichha,
Research Scholar,
Dept of Computer Science & Engg.
I.I.T. Madras
Chennai - 36

8

For testing purpose I am hooking a keyboard and printer.
The NewIrpMjReadFunction gets hooks completion-routine to get data
read from keyboard, and then sends to remote machine through TDI.
Yea, If I remove my TDI call, it works fine.

I fell it’s not possible to call TDI in hooked completion routine.
Because I failed to open a file and write my data onto it.
Please comment on this and give your valuable suggestion.

On Nov 9, 2007 9:20 PM, Mark Roddy wrote:
> What device are you hooking?
> Why are you hooking instead of filtering?
> What is the IRQL when your NewIrpMjReadFunction is called?
> What does your NewIrpMjReadFunction actually do?
> Have you tried stepping through your code with a debugger?
>
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com [mailto:bounce-305551-
> > xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> > Sent: Friday, November 09, 2007 4:18 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Problem of hooking by InterlockedExchange
> >
> > Hi,
> > I am trying to support a remote printer by hooking IRP_MJ functions.
> > I am using “InterlockedExchange” function to place my function in place
> > of the default one.
> >
> > But the problem comes after that. I am just able to capture data. When
> > ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
> > even able to store information into a file.
> >
> > The code segment follows.
> >
> > OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
> > if(OldIrpMjReadFunction)
> > InterlockedExchange((PLONG)&driverObj-
> > >MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);
> >
> > Please help me.
> > Any help will be appreciated.
> >
> > Regards,
> > Barun
> >
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


Barun Kumar Parichha,
Research Scholar,
Dept of Computer Science & Engg.
I.I.T. Madras
Chennai - 36

9

You should understand from other comments that this approach, for
testing purposes or not, is the wrong way to go. Use KMDF to implement
filter drivers and give up on hooking.

That said, you did not answer the question about IRQL level. If you
are not executing at passive level you will not be able to perform
operations like ‘open a file’. You need to read the WDK documentation
carefully for every kernel interface you call and note the IRQL level
restrictions. These restrictions are mandatory. The system will crash
or hang or otherwise malfunction if you break the rules.

On Nov 11, 2007 4:33 AM, barun parichha wrote:
> For testing purpose I am hooking a keyboard and printer.
> The NewIrpMjReadFunction gets hooks completion-routine to get data
> read from keyboard, and then sends to remote machine through TDI.
> Yea, If I remove my TDI call, it works fine.
>
> I fell it’s not possible to call TDI in hooked completion routine.
> Because I failed to open a file and write my data onto it.
> Please comment on this and give your valuable suggestion.
>
> On Nov 9, 2007 9:20 PM, Mark Roddy wrote:
> > What device are you hooking?
> > Why are you hooking instead of filtering?
> > What is the IRQL when your NewIrpMjReadFunction is called?
> > What does your NewIrpMjReadFunction actually do?
> > Have you tried stepping through your code with a debugger?
> >
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com [mailto:bounce-305551-
> > > xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> > > Sent: Friday, November 09, 2007 4:18 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] Problem of hooking by InterlockedExchange
> > >
> > > Hi,
> > > I am trying to support a remote printer by hooking IRP_MJ functions.
> > > I am using “InterlockedExchange” function to place my function in place
> > > of the default one.
> > >
> > > But the problem comes after that. I am just able to capture data. When
> > > ever I am sending captured data by TDI (TCP/IP) it hangs. I am not
> > > even able to store information into a file.
> > >
> > > The code segment follows.
> > >
> > > OldIrpMjReadFunction = driverObj->MajorFunction[IRP_MJ_READ];
> > > if(OldIrpMjReadFunction)
> > > InterlockedExchange((PLONG)&driverObj-
> > > >MajorFunction[IRP_MJ_READ], (LONG)NewIrpMjReadFunction);
> > >
> > > Please help me.
> > > Any help will be appreciated.
> > >
> > > Regards,
> > > Barun
>
> > >
> > >
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > For our schedule of WDF, WDM, debugging and other seminars visit:
> > > http://www.osr.com/seminars
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> –
> Barun Kumar Parichha,
> Research Scholar,
> Dept of Computer Science & Engg.
> I.I.T. Madras
> Chennai - 36
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy

10

barun parichha wrote:

We are trying to hook in URB level. Basically the idea is to catch
URBs in server and send to client( where real device is present).
It is USB over IP in windows OS.

Then you want a filter driver, not a hook. You should be able to do
this completely generically, without any device-specific functionality
at all.

Wouldn’t it be fun to plug in a USB Ethernet card, and get into an
infinite nesting loop of USB over IP over USB over IP over USB…


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.