|
Message 1 of 1
20 Apr 17 11:32
|
|
xxxxxx@kerneldrivers.com
|
Join Date: 17 Feb 2012
Posts To This List: 45
|
|
|
Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER
<![CDATA[As I said, make your patch routine very simple, do nothing other than=20
pass the parameters onto the real API. If the system works fine, then=20
move on to logging information. As for the name mangling, you could, for=
=20
example, pass in a name such as "MyDriverName_(path to file)" Then in=20
your patch routine recognize the "MyDriverName_", remove it and pass the=
=20
rest on to the real function. Again, this sort of thing is really ugly=20
and not supported in any way but it can work.
Pete
--
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: "Windows System Software Devs Interest List" <xxxxx@lists.osr.com>
Sent: 4/20/2017 9:21:22 AM
Subject: RE:[ntdev] Windows Driver/Rootkit Development - function=20
pointer - STATUS_INVALID_PARAMETER
>What I'm currently doing in each hooked function is very simple. I just=
=20
>log that the function was called and which process it was called by and=
=20
>then call the original function. I don't understand what you mean by=20
>"name mangling", could you provide a more concrete example? How do I=20
>recognise that my code is calling the logger (or vice versa) as my code=
=20
>(inc logger) is running as a driver, so the process making the call=20
>will appear as svchost.exe surely.
>
>---
>NTDEV is sponsored by OSR
>
>Visit the list online at:=20
><http://www.osronline.com/showlists.cfm?list=3Dntdev>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and=20
<...excess quoted lines suppressed...>
]]>
|
Re[2]: Windows Driver/Rootkit Development - function pointer - STATUS_INVALID_PARAMETER