Great reasons. This is definitely a frequently asked
questions, can this be added to some FAQ at
www.osronline.com?
I have a question. I assume the same reasons apply for
user mode api hooking as well for kernel mode apis. In
Five, has microsoft blocked both of them?
thanks in advance
–rufoo
— Don Burn wrote:
>
> >> “Marc Cruz” wrote in
> message:
> >> Why is hooking unsafe?
>
> A number of these have been discussed before, but
> lets count the ways:
>
> 1. First once you hook you can never unhook. The
> problem is that you have
> to assume someone may have come along after you and
> hooked, if you unhook
> and unload they will still call you, and their goes
> the system.
>
> 2. Second, you have no control over hooking order,
> so lets say you and
> another driver start hooking at the same time, you
> hook five calls and the
> other driver hooks the same five calls. Well since
> there is no control,
> some of the calls will invoke your hook, then the
> other drivers, and the
> other calls will invoke the other drivers then your
> hook.
>
> 3. Third, are you using stack in your hook? How
> can you tell if you are
> using too much? It is possible to do without much
> stack, or leaving any on
> the stack, but most people are too lazy to do this.
>
> 4. Fourth, the native system calls are undocumented
> and can change. The
> common case on this is the changing of the call
> numbers, but Windows has
> also added options, changed the parameters and even
> replaced the call with a
> newer one. Basically, most hooking drivers lock
> themselves into a small set
> of OS versions, but never bother to check if this is
> correct.
>
> 5. Five, Microsoft has blocked system call hooking
> on AMD64. I request
> that they offer the same capability under X86. I
> realize it will break
> stupid but common programs. If this was controlable
> by a boot switch then I
> can choose if I want to break these!
>
> 6. Six, a number of companies are running rootkit
> detectors, and rejecting
> software that does hooking. So basically you are
> using a technique that can
> get your company thrown out of firms permanently.
>
> I’m sure there are a lot more, these are just the
> highlights.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com