RE: Hooking system services (was NtCreateSection() - rela tion between parent and child process)

All I can say is, that’s not a good way to hook. :slight_smile:

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@gmxpro.net
Sent: Tuesday, January 27, 2004 1:48 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() -
relation between parent and child process)

Hi Alberto,

I well understand your point, as well as Don’s. Hooking can be heaven or
hell.

Don has just concerns that a driver which is dynamically loaded and unloaded
will not stick to any order of loading/unloading.

Imagine HookDriver1 is hooking into NtCreateFile() and exchanges the real
function address (say 0x80010000) in the SDT (System Service Descriptor
Table)
with its own one (say 0xF8000000). Then HookDriver2 is being loaded and
exchanges the already modified function address (0xF8000000) with its own
function
address (say 0xFA000000), saving the “old” (but already modified) address.
Then the admin goes and removes HookDriver1 from memory.

… because every hook somehow uses the original function address it saved,
the system will bugcheck the next time some code uses NtCreateFile() from
the
SDT the HookDriver2 (while still on the top of the hook chain) will call to
0xF8000000 (which it saved on initialization) and … *BOOOM* … where did
it point? … the void :wink:

Needless to say, with 1 driver resident this does not cause any problem
(!!!if properly written!!!), but when more drivers enter and leave the
“game” the
system has a high probability of crashing. There’s only one good solution. A
driver must compare the SDT entry it just changed with the offset of its own
replacement function and ONLY change back the addresses if they match. If
not it MUST refuse to unload. Whatever additional problems this may create

Oliver


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

So who is going to win the superbowl?

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@gmxpro.net [mailto:xxxxx@gmxpro.net]
Sent: Tuesday, January 27, 2004 1:48 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was
NtCreateSection() - relation between parent and child process)

Hi Alberto,

I well understand your point, as well as Don’s. Hooking can
be heaven or hell.

Don has just concerns that a driver which is dynamically
loaded and unloaded will not stick to any order of loading/unloading.

Imagine HookDriver1 is hooking into NtCreateFile() and
exchanges the real function address (say 0x80010000) in the
SDT (System Service Descriptor Table) with its own one (say
0xF8000000). Then HookDriver2 is being loaded and exchanges
the already modified function address (0xF8000000) with its
own function address (say 0xFA000000), saving the “old” (but
already modified) address.
Then the admin goes and removes HookDriver1 from memory.

… because every hook somehow uses the original function
address it saved, the system will bugcheck the next time some
code uses NtCreateFile() from the SDT the HookDriver2 (while
still on the top of the hook chain) will call to 0xF8000000
(which it saved on initialization) and … *BOOOM* … where
did it point? … the void :wink:

Needless to say, with 1 driver resident this does not cause
any problem (!!!if properly written!!!), but when more
drivers enter and leave the “game” the system has a high
probability of crashing. There’s only one good solution. A
driver must compare the SDT entry it just changed with the
offset of its own replacement function and ONLY change back
the addresses if they match. If not it MUST refuse to unload.
Whatever additional problems this may create …

Oliver


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@stratus.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

> All I can say is, that’s not a good way to hook. :slight_smile:
All I can say is … go on :wink: … I am listening carefully … suggestions?
hints? advice?

Oliver

There is no need for a driver tobe unloadable. Depending on the techinque,
it can be even toggled (hook on/off).

When I hook can I know if something is hooked already or not ? — Sure !!!

-prokash

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, January 27, 2004 11:36 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Hooking system services (was NtCreateSection() -
relation between parent and child process)

Then the admin goes and removes HookDriver1 from memory.

Well, at least the drivers which do ANY kinds of hooking must not allow
unload, this is plain and simple, or am I wrong?

replacement function and ONLY change back the addresses if they match.
If not it MUST refuse to unload.

Not only hookers, but also “legitimate” FS filters just cannot unload. Plain
and simple.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

“Sinha, Prokash” wrote in message
news:xxxxx@ntdev…
>
> There is no need for a driver to be unloadable.
>

Wrong. It is, in fact supporting unload is a requirement for proper support
of PnP. And before you say the hardware the driver supports doesn’t go
away, consider the way the system shuts down…

p

Thanks Peter,

I did not know that is required for any driver.

But to trap module loads/unloads, the notification mechanism already
makes such a driver unloadable, so for a watcher it is almost a requirement
to have notification enabled …

thanks again.
-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Peter Viscarola
Sent: Wednesday, January 28, 2004 6:54 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

“Sinha, Prokash” wrote in message
news:xxxxx@ntdev…
>
> There is no need for a driver to be unloadable.
>

Wrong. It is, in fact supporting unload is a requirement for proper support
of PnP. And before you say the hardware the driver supports doesn’t go
away, consider the way the system shuts down…

p


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Right. And not just system shutdown, but changing driver versions.
Doesn’t anyone WANT to get rid of the need to reboot machines just to
make trivial configuration changes?

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
Sent: Wednesday, January 28, 2004 9:54 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

“Sinha, Prokash” wrote in message
news:xxxxx@ntdev…
>
> There is no need for a driver to be unloadable.
>

Wrong. It is, in fact supporting unload is a requirement for proper
support of PnP. And before you say the hardware the driver supports
doesn’t go away, consider the way the system shuts down…

p


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

Absolutely! One of the key customer requirements for Windows is no reboot.
The more components we don’t unload, the harder it is to service or upgrade
them. There is nothing more annoying then downloading/installing a component
that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no rights.

“Peter Viscarola” wrote in message news:xxxxx@ntdev…
>
> “Sinha, Prokash” wrote in message
> news:xxxxx@ntdev…
> >
> > There is no need for a driver to be unloadable.
> >
>
> Wrong. It is, in fact supporting unload is a requirement for proper
support
> of PnP. And before you say the hardware the driver supports doesn’t go
> away, consider the way the system shuts down…
>
> p
>
>
>

Well hooking system apis is hideous, but for specific types of drivers, for
example unloadable file system filter drivers, the unload issue is moot :slight_smile:
Certainly pnp drivers, as in hardware drivers, have no business at all doing
this nonsense.

Given that this question comes up over and over and over again, and then we
have to listen to the ‘alberto camp’ describing the bliss of hacking the OS
any random way one sees fit, Microsoft should at least consider making a
hook registration/deregistration api (and then of course whql-flunking any
driver that uses it :-).

=====================
Mark Roddy

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 4:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

Absolutely! One of the key customer requirements for Windows
is no reboot.
The more components we don’t unload, the harder it is to
service or upgrade them. There is nothing more annoying then
downloading/installing a component that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and
confers no rights.

“Peter Viscarola” wrote in message
> news:xxxxx@ntdev…
> >
> > “Sinha, Prokash” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > There is no need for a driver to be unloadable.
> > >
> >
> > Wrong. It is, in fact supporting unload is a requirement for proper
> support
> > of PnP. And before you say the hardware the driver
> supports doesn’t
> > go away, consider the way the system shuts down…
> >
> > p
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

Well folks, pls take my apology, for making a fast typeing. It is clear
to me that sometime my mind is slower than my typing speed (40 wd)/min
:).

Actually what I meant to say was that there is no need that such driver
is NOT unloadable. In my original note, that is why wanted to point out
that even if someone is to hook, there should be a mechanism to unhook
safely ( that is why I mentiond on/off ) so that the driver could be
responisve to (net stop …, and others )…

Also I tried to mention that in the past it was hard to make a driver
unloadable, once we
Use the module (un)load notification(s). I don’t quite remember, but
there were flags to let the kernel know that I don’t need to be notified
anymore, hence pls allow me to take off ( unload ) … This was need to
handle the module integrity. And I think, there was an api
GetModuleHandle(…) in user level of win3.1 (16 bit -shared space) that
used to give all the modules loaded at that point in time.

Yes I do understand the importance of being unloadable, just did not
quite know that it is a requirement for any driver ( specially when PnP
or no reboot comes to play ).

SORRY FOR CONFUSION, BUT IT DID NOT TAKE THE PATH OF TWIST AND TURN.

So yes, I agree with all of you ( Peter, Arlie, and Nar )

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 1:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

Absolutely! One of the key customer requirements for Windows is no
reboot. The more components we don’t unload, the harder it is to service
or upgrade them. There is nothing more annoying then
downloading/installing a component that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no
rights.

“Peter Viscarola” wrote in message news:xxxxx@ntdev…
>
> “Sinha, Prokash” wrote in message
> news:xxxxx@ntdev…
> >
> > There is no need for a driver to be unloadable.
> >
>
> Wrong. It is, in fact supporting unload is a requirement for proper
support
> of PnP. And before you say the hardware the driver supports doesn’t
> go away, consider the way the system shuts down…
>
> p
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

If my driver is a kernel module - as opposed to a hardware manager - I may
not want it to be unloaded.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Monday, February 02, 2004 5:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

Well folks, pls take my apology, for making a fast typeing. It is clear
to me that sometime my mind is slower than my typing speed (40 wd)/min
:).

Actually what I meant to say was that there is no need that such driver
is NOT unloadable. In my original note, that is why wanted to point out
that even if someone is to hook, there should be a mechanism to unhook
safely ( that is why I mentiond on/off ) so that the driver could be
responisve to (net stop …, and others )…

Also I tried to mention that in the past it was hard to make a driver
unloadable, once we
Use the module (un)load notification(s). I don’t quite remember, but
there were flags to let the kernel know that I don’t need to be notified
anymore, hence pls allow me to take off ( unload ) … This was need to
handle the module integrity. And I think, there was an api
GetModuleHandle(…) in user level of win3.1 (16 bit -shared space) that
used to give all the modules loaded at that point in time.

Yes I do understand the importance of being unloadable, just did not
quite know that it is a requirement for any driver ( specially when PnP
or no reboot comes to play ).

SORRY FOR CONFUSION, BUT IT DID NOT TAKE THE PATH OF TWIST AND TURN.

So yes, I agree with all of you ( Peter, Arlie, and Nar )

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 1:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

Absolutely! One of the key customer requirements for Windows is no
reboot. The more components we don’t unload, the harder it is to service
or upgrade them. There is nothing more annoying then
downloading/installing a component that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no
rights.

“Peter Viscarola” wrote in message news:xxxxx@ntdev…
>
> “Sinha, Prokash” wrote in message
> news:xxxxx@ntdev…
> >
> > There is no need for a driver to be unloadable.
> >
>
> Wrong. It is, in fact supporting unload is a requirement for proper
support
> of PnP. And before you say the hardware the driver supports doesn’t
> go away, consider the way the system shuts down…
>
> p
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Hmm, in that case some of us will have to get a can with red cross sign,
and stay in front of grocery stores, despite my doubts that those
contribution(s) probably never make it to the end of the routes(those
who needs it badly :-).

-prokash

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Monday, February 02, 2004 2:07 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

Well hooking system apis is hideous, but for specific types of drivers,
for example unloadable file system filter drivers, the unload issue is
moot :slight_smile: Certainly pnp drivers, as in hardware drivers, have no business
at all doing this nonsense.

Given that this question comes up over and over and over again, and then
we have to listen to the ‘alberto camp’ describing the bliss of hacking
the OS any random way one sees fit, Microsoft should at least consider
making a hook registration/deregistration api (and then of course
whql-flunking any driver that uses it :-).

=====================
Mark Roddy

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 4:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

Absolutely! One of the key customer requirements for Windows
is no reboot.
The more components we don’t unload, the harder it is to
service or upgrade them. There is nothing more annoying then
downloading/installing a component that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and
confers no rights.

“Peter Viscarola” wrote in message
> news:xxxxx@ntdev…
> >
> > “Sinha, Prokash” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > There is no need for a driver to be unloadable.
> > >
> >
> > Wrong. It is, in fact supporting unload is a requirement for proper
> support
> > of PnP. And before you say the hardware the driver
> supports doesn’t
> > go away, consider the way the system shuts down…
> >
> > p
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

When I did 3d graphics drivers for a living, we always supplied two drivers:
the well behaved whql one, and the no-holds-barred fast driver. And, of
course, that choice was up to the user, after all, it’s their machine and
their product.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Roddy, Mark
Sent: Monday, February 02, 2004 5:07 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

Well hooking system apis is hideous, but for specific types of drivers, for
example unloadable file system filter drivers, the unload issue is moot :slight_smile:
Certainly pnp drivers, as in hardware drivers, have no business at all doing
this nonsense.

Given that this question comes up over and over and over again, and then we
have to listen to the ‘alberto camp’ describing the bliss of hacking the OS
any random way one sees fit, Microsoft should at least consider making a
hook registration/deregistration api (and then of course whql-flunking any
driver that uses it :-).

=====================
Mark Roddy

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 4:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

Absolutely! One of the key customer requirements for Windows
is no reboot.
The more components we don’t unload, the harder it is to
service or upgrade them. There is nothing more annoying then
downloading/installing a component that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and
confers no rights.

“Peter Viscarola” wrote in message
> news:xxxxx@ntdev…
> >
> > “Sinha, Prokash” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > There is no need for a driver to be unloadable.
> > >
> >
> > Wrong. It is, in fact supporting unload is a requirement for proper
> support
> > of PnP. And before you say the hardware the driver
> supports doesn’t
> > go away, consider the way the system shuts down…
> >
> > p
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Sure, I can see plenty of scenario, when it might be absoultly necessary to
stay up, active, and keep the rader stay focused …

But then having an option is good, just in case …

-prokash

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Monday, February 02, 2004 3:07 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() - rela
tion between parent and child process)

If my driver is a kernel module - as opposed to a hardware manager - I may
not want it to be unloaded.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Monday, February 02, 2004 5:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() - rela
tion between parent and child process)

Well folks, pls take my apology, for making a fast typeing. It is clear to
me that sometime my mind is slower than my typing speed (40 wd)/min :).

Actually what I meant to say was that there is no need that such driver is
NOT unloadable. In my original note, that is why wanted to point out that
even if someone is to hook, there should be a mechanism to unhook safely (
that is why I mentiond on/off ) so that the driver could be responisve to
(net stop …, and others )…

Also I tried to mention that in the past it was hard to make a driver
unloadable, once we Use the module (un)load notification(s). I don’t quite
remember, but there were flags to let the kernel know that I don’t need to
be notified anymore, hence pls allow me to take off ( unload ) … This was
need to handle the module integrity. And I think, there was an api
GetModuleHandle(…) in user level of win3.1 (16 bit -shared space) that
used to give all the modules loaded at that point in time.

Yes I do understand the importance of being unloadable, just did not quite
know that it is a requirement for any driver ( specially when PnP or no
reboot comes to play ).

SORRY FOR CONFUSION, BUT IT DID NOT TAKE THE PATH OF TWIST AND TURN.

So yes, I agree with all of you ( Peter, Arlie, and Nar )

-----Original Message-----
From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
Sent: Monday, February 02, 2004 1:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() - rela
tion between parent and child process)

Absolutely! One of the key customer requirements for Windows is no reboot.
The more components we don’t unload, the harder it is to service or upgrade
them. There is nothing more annoying then downloading/installing a component
that requires a reboot.


Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no rights.

“Peter Viscarola” wrote in message news:xxxxx@ntdev…
>
> “Sinha, Prokash” wrote in message
> news:xxxxx@ntdev…
> >
> > There is no need for a driver to be unloadable.
> >
>
> Wrong. It is, in fact supporting unload is a requirement for proper
support
> of PnP. And before you say the hardware the driver supports doesn’t
> go away, consider the way the system shuts down…
>
> p
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

And I have no problem with that. Customers should be informed and make
informed choices. Enterprise customers, rather than home users, tend to be
very conservative and actually want their systems to be loaded only with
signed drivers. Microsoft is clearly (although incrementally) moving in the
direction of making it more and more difficult to load unsigned drivers onto
the system. I’d say the writing is on the wall. You need a new OS interface:
talk to microsoft. In general they have become quite responsive to
legitimate requests.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Moreira, Alberto
Sent: Monday, February 02, 2004 6:18 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

When I did 3d graphics drivers for a living, we always
supplied two drivers:
the well behaved whql one, and the no-holds-barred fast
driver. And, of course, that choice was up to the user, after
all, it’s their machine and their product.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Roddy, Mark
Sent: Monday, February 02, 2004 5:07 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

Well hooking system apis is hideous, but for specific types
of drivers, for example unloadable file system filter
drivers, the unload issue is moot :slight_smile: Certainly pnp drivers,
as in hardware drivers, have no business at all doing this nonsense.

Given that this question comes up over and over and over
again, and then we have to listen to the ‘alberto camp’
describing the bliss of hacking the OS any random way one
sees fit, Microsoft should at least consider making a hook
registration/deregistration api (and then of course
whql-flunking any driver that uses it :-).

=====================
Mark Roddy

> -----Original Message-----
> From: Nar Ganapathy[MS] [mailto:xxxxx@windows.microsoft.com]
> Sent: Monday, February 02, 2004 4:55 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Hooking system services (was
> NtCreateSection() - rela tion between parent and child process)
>
> Absolutely! One of the key customer requirements for Windows is no
> reboot.
> The more components we don’t unload, the harder it is to service or
> upgrade them. There is nothing more annoying then
> downloading/installing a component that requires a reboot.
>
> –
> Nar Ganapathy
> Windows Core OS group
> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>
> “Peter Viscarola” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > “Sinha, Prokash” wrote in message
> > > news:xxxxx@ntdev…
> > > >
> > > > There is no need for a driver to be unloadable.
> > > >
> > >
> > > Wrong. It is, in fact supporting unload is a requirement
> for proper
> > support
> > > of PnP. And before you say the hardware the driver
> > supports doesn’t
> > > go away, consider the way the system shuts down…
> > >
> > > p
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@stratus.com To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It contains information that may be
> confidential. Unless you are the named addressee or an
> authorized designee, you may not copy or use it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

After reading all these hook/unhook mails, many suggest not to Hook API or
int 2e like INT’s. But I really wonder wheather we can load 2 system
debuggers ? where these debuggers i assume they hook int 1 for tracing. Does
sytstem will be stable or these 2 debuggers are going to mess the system
while hooking/unhooking int 1 ?

Regards,
Satish K.S

Well hooking system apis is hideous, but for specific types of
drivers, for
example unloadable file system filter drivers, the unload issue
is moot :slight_smile:
Certainly pnp drivers, as in hardware drivers, have no business
at all doing
this nonsense.

Given that this question comes up over and over and over again,
and then we
have to listen to the ‘alberto camp’ describing the bliss of
hacking the OS
any random way one sees fit, Microsoft should at least consider making a
hook registration/deregistration api (and then of course whql-flunking any
driver that uses it :-).

=====================
Mark Roddy

Windows Update makes me reboot at least once a week for the latest and
greatest security patch, DirectX minor rev, etc. The problem is
basically unsolvable without a major re-architecture of the OS; if
you’re patching msvcrt.dll, wininent.dll, and so on, you can’t very well
rip them out from the address spaces of all of the running applications
that are using them.

Nar Ganapathy[MS] wrote:

Absolutely! One of the key customer requirements for Windows is no reboot.
The more components we don’t unload, the harder it is to service or upgrade
them. There is nothing more annoying then downloading/installing a component
that requires a reboot.

I run with the visual studio debugger and windbg all the time. Works fine as
long as you remind yourself that kernel breakpoints are system wide :slight_smile:

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of int3
Sent: Tuesday, February 03, 2004 2:34 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was
NtCreateSection() - rela tion between parent and child process)

After reading all these hook/unhook mails, many suggest not
to Hook API or int 2e like INT’s. But I really wonder
wheather we can load 2 system debuggers ? where these
debuggers i assume they hook int 1 for tracing. Does sytstem
will be stable or these 2 debuggers are going to mess the
system while hooking/unhooking int 1 ?

Regards,
Satish K.S

>
> Well hooking system apis is hideous, but for specific types of
> drivers, for example unloadable file system filter drivers,
the unload
> issue is moot :slight_smile: Certainly pnp drivers, as in hardware
drivers, have
> no business at all doing this nonsense.
>
> Given that this question comes up over and over and over again, and
> then we have to listen to the ‘alberto camp’ describing the
bliss of
> hacking the OS any random way one sees fit, Microsoft
should at least
> consider making a hook registration/deregistration api (and then of
> course whql-flunking any driver that uses it :-).
>
>
> =====================
> Mark Roddy
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

> [mailto:xxxxx@lists.osr.com]On Behalf Of Mark Roddy

Sent: Tuesday, February 03, 2004 6:22 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Hooking system services (was NtCreateSection() -
rela tion between parent and child process)

I run with the visual studio debugger and windbg all the time.
Works fine as
long as you remind yourself that kernel breakpoints are system wide :slight_smile:

IIRC, All the application debuggers uses Win32 SDK Debugging API’s and only
1 intercepter will be there in kernel which diverts the event for respective
debugger in User mode ?

But, in case of 2 system debuggers in a single system, how does they are
going to hook int 1 (IDT ) ? isnt it the same problems comes while hookinh
any IDT directly ?

Regards,
Satish K.S

UNIX has a “single user mode” for this.

NT introduced the Recovery Console, which should play the same purpose -
but still not enough to install patches. Well, going single-user and back in
UNIX is nearly equal to reboot - service interruption.

And the most irritating fact is that Logoff/Logon is not enough to upgrade
SHELL32 and friends. So, the IE patches require reboot :slight_smile:

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Nick Ryan”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, February 03, 2004 10:25 AM
Subject: Re:[ntdev] Hooking system services (was NtCreateSection() - rela tion
between parent and child process)

> Windows Update makes me reboot at least once a week for the latest and
> greatest security patch, DirectX minor rev, etc. The problem is
> basically unsolvable without a major re-architecture of the OS; if
> you’re patching msvcrt.dll, wininent.dll, and so on, you can’t very well
> rip them out from the address spaces of all of the running applications
> that are using them.
>
> Nar Ganapathy[MS] wrote:
> > Absolutely! One of the key customer requirements for Windows is no reboot.
> > The more components we don’t unload, the harder it is to service or upgrade
> > them. There is nothing more annoying then downloading/installing a
component
> > that requires a reboot.
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com