OSR's ntdev List: Re[2]: Windows Driver/Rootkit Development - function pointer

Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:

Creating the right design for your requirements
Reviewing your existing driver code
Analyzing driver reliability/performance issues
Custom training mixed with consulting and focused directly on your specific areas of interest/concern.

Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 9 April 2018

Writing WDF Drivers I: Core Concepts, Manchester, NH, 7 May 2018

Kernel Debugging & Crash Analysis for Windows, Manchester, NH, 21 May 2018

		OSR Online Lists > ntdev
Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

Welcome, Guest
You must login to post to this list

Message 1 of 1

20 Apr 17 11:32

Peter Scott

xxxxxx@kerneldrivers.com

Join Date: 17 Feb 2012

Posts To This List: 49

Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER

As I said, make your patch routine very simple, do nothing other than pass the parameters onto the real API. If the system works fine, then move on to logging information. As for the name mangling, you could, for=20 example, pass in a name such as "MyDriverName_(path to file)" Then in your patch routine recognize the "MyDriverName_", remove it and pass the=20 rest on to the real function. Again, this sort of thing is really ugly and not supported in any way but it can work. Pete -- Kernel Drivers Windows File System and Device Driver Consulting www.KernelDrivers.com 866.263.9295 ------ Original Message ------ From: xxxxx@hotmail.com To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com> Sent: 4/20/2017 9:21:22 AM Subject: RE:[ntdev] Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER >What I'm currently doing in each hooked function is very simple. I just=20 >log that the function was called and which process it was called by and=20 >then call the original function. I don't understand what you mean by >"name mangling", could you provide a more concrete example? How do I >recognise that my code is calling the logger (or vice versa) as my code=20 >(inc logger) is running as a driver, so the process making the call >will appear as svchost.exe surely. > >--- >NTDEV is sponsored by OSR <...excess quoted lines suppressed...>

Posting Rules
You may not post new threads You may not post replies You may not post attachments	You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 04:09.

Contact Us - Osr Online Homepage - Top