I have a driver that replace Zw calls in the service dispatch table with my own functions. They perfprm some peprocessing and then call the original functions.
I know that this is not the recommended technique (i should have a filter), but its simpler to capture file/dir for a proof of concept.
Question1:
Is Microsoft planning to prevent the above by some techniques like write protecting the DispatchServiceTable etc ?
Question 2:
Would it be a wise idea to ship a beta with the above technique?
-ocn
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
“v g” wrote in message news:xxxxx@ntfsd… > > I have a driver that replace Zw calls in the service dispatch table with > my own functions. They perfprm some peprocessing and then call the > original functions. > > I know that this is not the recommended technique (i should have a > filter), but its simpler to capture file/dir for a proof of concept.
Be careful here, the actions at Zw level do not always map one for one with what a filter sees. You can proof of concept and have no proof.
> Question1: > > Is Microsoft planning to prevent the above by some techniques like write > protecting the DispatchServiceTable etc ?
They already have started this on x64 and to some degree on x86. You will not be able to do this on 64-bit systems (ok, I’m sure some hacker will figure a way, but the goal is not).
> Question 2: > > Would it be a wise idea to ship a beta with the above technique? > I wouldn’t I know of some large firms that check this and bar products from vendors who do this. Do you want to risk being blacklisted for a beta?
– Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply
Basically you have to change codes for every major MS release.
well, give you an example, norton antivirus engine is doing this thing for
years and they are keep doing this till now. Just keep in mind that you may
get some benefit from it in short term, but the future sustaining is not
cheap actually. FYI. /AFei