You cannot hook functions in more-or-less modern Windows, at least 64bit ones.
And yes, Device Guard in Win10+Srv2016 makes this even more prohibitive.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hello everyone, i experienced something weird while developing a new feature for my driver (Currently Tested only on Windows XP!!!).
>
> In my driver i am hooking several functions through the ssdt, one of which is ZwTerminateProcess.
>
> One of the abilities i implemented in my driver requires me to use PsCreateProcessNotifyRoutine to monitor the process creation (and both process termination)
>
> in my PsCreateProcessNotifyRoutine CallBack i am implementing some logic to edit the page tables of a specific process, and when terminating it, i want to restore the physical pages to be as they were before i changed them (Just for a clean cleanup procedure)
>
> Now i have experienced some weird behavior.
> On process termination there is a weird thing going on.
> When ZwTerminateProcess is hooked, i am experiencing an exception when the function is called, here is the callstack from windbg:
>
> ChildEBP RetAddr Args to Child
> f41c1780 804f8afd 00000003 f41c1adc 00000000 nt!RtlpBreakWithStatusInstruction
> f41c17cc 804f96e8 00000003 c03fb780 80f346e4 nt!KiBugCheckDebugBreak+0x19
> f41c1bac 804f9c37 0000004e 00000099 00006826 nt!KeBugCheck2+0x574
> f41c1bcc 80510b92 0000004e 00000099 00006826 nt!KeBugCheckEx+0x1b
> f41c1c04 805aec1b 7f6f0019 862cc4b0 007ffff8 nt!MiDeleteValidAddress+0x156
> f41c1c24 80512655 862cc4b0 862cc5e8 862cc4b0 nt!MiDeleteAddressesInWorkingSet+0x65
> f41c1c58 805d0ed7 002cc4b0 85802da8 85802ff0 nt!MmCleanProcessAddressSpace+0x193
> f41c1ce0 805d109a c000013a 85802da8 00000000 nt!PspExitThread+0x621
> f41c1d00 805d1275 85802da8 c000013a f41c1d64 nt!PspTerminateThreadByPointer+0x52
> f41c1d2c f41248e3 00000000 c000013a 80538aa0 nt!NtTerminateProcess+0x105
> f41c1d54 8054060c ffffffff c000013a 00a0ff04 MyXpDriver!XpDriver_NtTerminateProcess+0x43
> f41c1d54 7c90eb94 ffffffff c000013a 00a0ff04 nt!KiFastCallEntry+0xfc
>
> Now when i stop monitoring that ZwTerminateProcess i have no problem, no exception the process is exiting as expected, and everything is working properly…
>
> Now i dont fully understand what is the problem here, or what is causing my driver to crash…
> Can anyone give me any hints? \ Anyone knows what exactly is going on that is making the program crash?
>
>
> Facts:
> 1. My code that is changing the physical pages is working perfectly. i tested it without the ZwTerminateProcess and it shows no problem. Debugged the physical addresses and everything is going as expected
> 2. Without the PsCreateProcessNotifyRoutine callback, i experience no problem hooking ZwTerminateProcess
> 3. The thing i do in my ZwTerminateProcess function, is calling the ‘old one’ and then doing a logic of my own… the old function never finishes on this scenario
>