RE: [BULK] - Re:Hooking system services (was NtCreateSection() - relation between parent and child p

OSR_Community_User · January 28, 2004, 6:16pm

Is it possible to get WHQL certified if you do hooking?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Wednesday, January 28, 2004 8:00 AM
To: Windows System Software Devs Interest List
Subject: [BULK] - Re:[ntdev] Hooking system services (was
NtCreateSection() - relation between parent and child process)

… and google says look here …

http://www.i.u-tokyo.ac.jp/ss/lecture/new-documents/Projects/RegistryCal
lbacksSpec.pdf

“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
> > This seems like an opportune moment to spring a related question.
> > Regmon from www.sysinternals.com used to hook registry related
> > system calls in the SDT. I believe the version that ships on W2K3
> > no longer uses this technique and takes advantage of a new registry
> > monitoring/hooking/intercepting/whatever API added therein. I have
> > a PPP from Mark Russinovich entitled “Windows XP Kernel Changes”
> > that loosely references this API but I have not seen any other
> > pointers or documentation on the beastie. Can anybody provide some
illumination?
> A quick look into the .SYS file with the dependency viewer shows only
> four function imports from NTOSKRNL.EXE which are not bound on my
> Windows 2000
> Professional:
> - CmRegisterCallback
> - CmUnRegisterCallback
> - InterlockedPopEntrySList
> - InterlockedPushEntrySList
>
> The latter two are quite clear by name (although I don’t know the
> prototypes) and the first two could be exactly the hooking API which
> was
requested
> during this discussion
>
> CmUnRegisterCallback() seems to take two ULONG size parameters and
> returns nothing (although this is not sure, yet). The first one is
> presumably a
handle
> which was returned by the call to the CmRegisterCallback() function.
>
> CmRegisterCallback() takes three parameters, the first being the
> offset of the callback function, the second unknown to me and the
> third pointing to
a
> “handle” being returned. It returns (most likely) an NTSTATUS value.
>
> The prototypes could look like this:
>
> NTSTATUS CmRegisterCallback(
> PVOID *Function,
> ULONG Unknown,
> HANDLE *CallbackHandle
> );
>
> VOID CmUnRegisterCallback(
> HANDLE CallbackHandle,
> ULONG Unknown
> );
>
> No guarantee for the correctness of information. Take it as a starting

> point.
>
> Oliver
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@websense.com To
unsubscribe send a blank email to xxxxx@lists.osr.com