Re[5]: How to hook the function IoCallDriver?

Hello Dan,

Sunday, December 12, 2004, 3:20:02 PM, you wrote:

DP> Your post doesnt really worths my time to reply, but still , here it is

>> yep you are right, people at osr are lamers
DP> I beg you not to put words in my mouth. I happen to have a good relationship
DP> with both Tony and Peter from OSR. I wont permit you or anyone else to
DP> to imply in a response that I said “ppl at OSR at lammers”. Got that, babe
DP> ? I might been wrong with my answer , but your reply is out of the limits. If
DP> you cannot have a polite behaviour, and you cannot post whithout putting
DP> words in others ppl mouth, do not. Attack me if you want, tell me that im stupid,
DP> but dont you dare to put words in my mouth.
yes, you are right. i overreacted, i’m sorry for that. i wanted to
show how it is, when people overreact. you did it too, and a lot of
knowledgeable people do it here too. it’s easy to make jokes of people
asking “not-so-clever” questions. you’re in touch with Tony and Peter.
they never do jokes of these questions, they’re always correct. i
appreciate that.

DP> Or even better, provide a correct respose tto the OPs
DP> question.
i never intended to answer the OP’s question.


Best regards,
Ivona Prenosilova

someone said that hook the iocalldriver is not a good method to solve
the problem,but there has another way to do the job that track all the irp?


ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com

Hooking anything is not a good method. Quite frankly the OSR utility is an example of how not to do things, although it is quite useful, and the folks at OSR have the the experience and wisdom to do bad things correctly. Yes they hooked the function that provides IoCallDriver. Yes this is the only useful way to trace ALL Irp send transactions. No, you, with your obvious inexperience in kernel development and low-level hackery, should not even be considering doing this.

So, with IrpTracker, a development test tool, out there available for download free of charge, what is it that you really are trying to accomplish?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shark marian
Sent: Sunday, December 12, 2004 10:10 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to hook the function IoCallDriver?

someone said that hook the iocalldriver is not a good
method to solve the problem,but there has another way to do
the job that track all the irp?


享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

IrpTracker is a development utility; there are techniques I might deem
acceptable in a development utility that I would NOT consider acceptable
for a product. When I answer questions (mostly in NTFSD, where the
poster also presented the identical question) I always assume the
techniques we are discussing are product-level.

Drivers import functions via a dispatch table; thus you can “take over”
an entry in a particular driver’s dispatch table. But that intercepts
the call for a given (specific) driver, not for all drivers on the
system. This is how driver verifier actually works - the memory manager
notes that the driver is being verified and when it fixes up the
dispatch table it uses alternative versions of the functions.

Further complicating this is that IoCallDriver is a legacy function
implementation. The DDK redefines it to IofCallDriver and that function
in turn uses a global OS pointer (pIofCallDriver) to find the ACTUAL
function that currently implements this code (IopfCallDriver as I
recall). Further, the details of this implementation will depend upon
which version of the OS you are discussing. All of this would fall out
with a few minutes analysis in the debugger.

The product-level solution to this problem is to use a filter driver.
They are architecturally supported within the OS model of drivers and do
not require using unsavory techniques.

And while you might think I’m lame because I don’t give you the
quickest, easiest, and dirtiest answer available, I will merely note
that it is very likely I will have to pay the costs for providing such
information, both in my own drivers and in supporting my customers,
while most people asking questions in this forum of this type will have
moved on in that timeframe. I cannot tell you the number of times I’ve
had to figure out work-arounds because of such hacks in other people’s
drivers - but we all know that “last driver installed is at fault”. If
you think constructing hacks of this nature is difficult, try
constructing solutions that are resilient in the face of such hacks and
still continue to work when the hack is not present.

One advantage to having a thorough understanding of the OS, you will
have an appreciation of which tricks you can use and when. There is no
way that I can make that determination from a simple question like “how
can I hook IoCallDriver”. Further, I consider giving out that
information blithely before understanding the intent of the user to be
irresponsible - akin to handing out a loaded firearm to a random person.
In either case, I’m likely to bear the brunt of their actions. Clearly,
I’m not alone in this position either - notice the paucity of replies to
the original query.

I can say that if you consider those of us at OSR as “lame” that perhaps
you would be better served participating in a community elsewhere - one
where playing by the rules is unimportant.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ivona prenosilova
Sent: Sunday, December 12, 2004 9:40 AM
To: ntdev redirect
Subject: Re[5]: [ntdev] How to hook the function IoCallDriver?

Hello Dan,

Sunday, December 12, 2004, 3:20:02 PM, you wrote:

DP> Your post doesnt really worths my time to reply, but still , here it
is

>> yep you are right, people at osr are lamers
DP> I beg you not to put words in my mouth. I happen to have a good
relationship
DP> with both Tony and Peter from OSR. I wont permit you or anyone else
to
DP> to imply in a response that I said “ppl at OSR at lammers”. Got
that, babe
DP> ? I might been wrong with my answer , but your reply is out of the
limits. If
DP> you cannot have a polite behaviour, and you cannot post whithout
putting
DP> words in others ppl mouth, do not. Attack me if you want, tell me
that im stupid,
DP> but dont you dare to put words in my mouth.
yes, you are right. i overreacted, i’m sorry for that. i wanted to
show how it is, when people overreact. you did it too, and a lot of
knowledgeable people do it here too. it’s easy to make jokes of people
asking “not-so-clever” questions. you’re in touch with Tony and Peter.
they never do jokes of these questions, they’re always correct. i
appreciate that.

DP> Or even better, provide a correct respose tto the OPs
DP> question.
i never intended to answer the OP’s question.


Best regards,
Ivona Prenosilova


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com