Message 1 of 1
20 Apr 17 11:32
|
xxxxxx@kerneldrivers.com
|
Join Date: 17 Feb 2012
Posts To This List: 49
|
|
Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER
As I said, make your patch routine very simple, do nothing other than
pass the parameters onto the real API. If the system works fine, then
move on to logging information. As for the name mangling, you could, for=20
example, pass in a name such as "MyDriverName_(path to file)" Then in
your patch routine recognize the "MyDriverName_", remove it and pass the=20
rest on to the real function. Again, this sort of thing is really ugly
and not supported in any way but it can work.
Pete
--
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: "Windows System Software Devs Interest List"
Sent: 4/20/2017 9:21:22 AM
Subject: RE:[ntdev] Windows Driver/Rootkit Development - function
pointer - STATUS_INVALID_PARAMETER
>What I'm currently doing in each hooked function is very simple. I just=20
>log that the function was called and which process it was called by and=20
>then call the original function. I don't understand what you mean by
>"name mangling", could you provide a more concrete example? How do I
>recognise that my code is calling the logger (or vice versa) as my code=20
>(inc logger) is running as a driver, so the process making the call
>will appear as svchost.exe surely.
>
>---
>NTDEV is sponsored by OSR
<...excess quoted lines suppressed...>
|