As I said, make your patch routine very simple, do nothing other than
pass the parameters onto the real API. If the system works fine, then
move on to logging information. As for the name mangling, you could, for
example, pass in a name such as “MyDriverName_(path to file)” Then in
your patch routine recognize the “MyDriverName_”, remove it and pass the
rest on to the real function. Again, this sort of thing is really ugly
and not supported in any way but it can work.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows System Software Devs Interest List”
Sent: 4/20/2017 9:21:22 AM
Subject: RE:[ntdev] Windows Driver/Rootkit Development - function
pointer - STATUS_INVALID_PARAMETER
>What I’m currently doing in each hooked function is very simple. I just
>log that the function was called and which process it was called by and
>then call the original function. I don’t understand what you mean by
>“name mangling”, could you provide a more concrete example? How do I
>recognise that my code is calling the logger (or vice versa) as my code
>(inc logger) is running as a driver, so the process making the call
>will appear as svchost.exe surely.
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at:
>http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:></http:>