Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018

Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 1  
20 Apr 17 11:32
Peter Scott
Join Date: 17 Feb 2012
Posts To This List: 49
Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

As I said, make your patch routine very simple, do nothing other than=20 pass the parameters onto the real API. If the system works fine, then=20 move on to logging information. As for the name mangling, you could, for= =20 example, pass in a name such as "MyDriverName_(path to file)" Then in=20 your patch routine recognize the "MyDriverName_", remove it and pass the= =20 rest on to the real function. Again, this sort of thing is really ugly=20 and not supported in any way but it can work. Pete -- Kernel Drivers Windows File System and Device Driver Consulting 866.263.9295 ------ Original Message ------ From: To: "Windows System Software Devs Interest List" <> Sent: 4/20/2017 9:21:22 AM Subject: RE:[ntdev] Windows Driver/Rootkit Development - function=20 pointer - STATUS_INVALID_PARAMETER >What I'm currently doing in each hooked function is very simple. I just= =20 >log that the function was called and which process it was called by and= =20 >then call the original function. I don't understand what you mean by=20 >"name mangling", could you provide a more concrete example? How do I=20 >recognise that my code is calling the logger (or vice versa) as my code= =20 >(inc logger) is running as a driver, so the process making the call=20 >will appear as svchost.exe surely. > >--- >NTDEV is sponsored by OSR > >Visit the list online at:=20 ><> > >MONTHLY seminars on crash dump analysis, WDF, Windows internals and=20 <...excess quoted lines suppressed...>
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 12:10.

Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license