Re[3]: How to hook the function IoCallDriver?

Hello Dan,

Sunday, December 12, 2004, 1:56:00 PM, you wrote:

DP> Whats wrong using for this a classical filter driver ? This is the correct
DP> solution
DP> to your problem, not a fantesist aproach like hooking a kernel API. May I
DP> suggest you learning how NT works internally ?
heh, it always makes me angry to see answers like this. so just my 2
cents:

the OP writes he wants to track the irps, right? hmm let me think,
doesn’t there exist any program that does track irps? yep, right, it’s
called irp tracker and it’s written by osr stuff. and quess what? the
irp tracker’s embedded driver (the one i resource section) does hook
IofCallDriver.

yep you are right, people at osr are lamers, if they knew how the nt
works internally, they could write it much easier and better. but
well, maybe the OP is the same lamer, he wants to do it for his lame
testing utility, so what’s the deal? if you can’t or don’t want to answer,
don’t do it. noone’s interested in spam emails like “oh man, another
lamer asking another lame question, RTFM and then maybe come back”.

just ignore these posts, it’s so easy …


Best regards,
Ivona Prenosilova

Ivona,

Your post doesnt really worths my time to reply, but still , here it is

> yep you are right, people at osr are lamers

I beg you not to put words in my mouth. I happen to have a good relationship
with both Tony and Peter from OSR. I wont permit you or anyone else to
to imply in a response that I said “ppl at OSR at lammers”. Got that, babe
?

I might been wrong with my answer , but your reply is out of the limits. If
you cannot
have a polite behaviour, and you cannot post whithout putting words in
others ppl
mouth, do not. Attack me if you want, tell me that im stupid, but dont you
dare to put
words in my mouth. Or even better, provide a correct respose tto the OPs
question.

Also, during the time I provided responses to “unholly internal stuff”
problems on the list when
I seen fit to do so. RTFM is always good Ivona. Many ppl which asked
questions on the list during
the last years had no ideea about what they want to do, let alone how to
doit.

Ciao, Dan

----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”
Sent: Sunday, December 12, 2004 3:38 PM
Subject: Re[3]: [ntdev] How to hook the function IoCallDriver?

> Hello Dan,
>
> Sunday, December 12, 2004, 1:56:00 PM, you wrote:
>
> DP> Whats wrong using for this a classical filter driver ? This is the
correct
> DP> solution
> DP> to your problem, not a fantesist aproach like hooking a kernel API.
May I
> DP> suggest you learning how NT works internally ?
> heh, it always makes me angry to see answers like this. so just my 2
> cents:
>
> the OP writes he wants to track the irps, right? hmm let me think,
> doesn’t there exist any program that does track irps? yep, right, it’s
> called irp tracker and it’s written by osr stuff. and quess what? the
> irp tracker’s embedded driver (the one i resource section) does hook
> IofCallDriver.
>
> yep you are right, people at osr are lamers, if they knew how the nt
> works internally, they could write it much easier and better. but
> well, maybe the OP is the same lamer, he wants to do it for his lame
> testing utility, so what’s the deal? if you can’t or don’t want to answer,
> don’t do it. noone’s interested in spam emails like “oh man, another
> lamer asking another lame question, RTFM and then maybe come back”.
>
> just ignore these posts, it’s so easy …
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Marian,

if somebody knows and is willing to show the documented technique to you,
think of using that technique.

Again, I am not sure if IoCallDriver function is accesible through the OS
Service Dispatch Table(though it worths giving it a try). If it is
accessible, the best way is to hook SDT.

If I were you, I would have looked at SDT for the address of IoCallDriver(or
its derivative if any) function. If It is there(I think it is there), then
replace it with your own function.

To begin, have a look at the source code of the tool called
SDTRestore(google for it) which may help you to enumerate NTOSKERNEL.EXE’s
the exported functions and their corresponding positions in the SDT.

I hope this may help to you.

Regards,

Egemen Tas,

http://www.modemwall.com

-------Original Message-------

From: shark marian

Date: 12/12/04 15:29:34

To: Windows System Software Devs Interest List

Subject: RE:[ntdev] How to hook the function IoCallDriver?

hello Egemen Tas,

thanks for your reply.

but if you do this irp track,what do you think is the best way to solve

this problem

regards


ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@gmail.com

To unsubscribe send a blank email to xxxxx@lists.osr.com