Search found 204 matches

by Brock
Sun Aug 12, 2018 4:30 pm
Forum: Kernel-Mode Development
Topic: Hooking the offical way?
Replies: 8
Views: 437

Re: Hooking the offical way?

Originally you posted this regardless of the Kernel Mode Development section of the forum I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process Your question, I assumed after your mentioning of a u...
by Brock
Thu Aug 09, 2018 11:25 pm
Forum: Kernel-Mode Development
Topic: Hooking the offical way?
Replies: 8
Views: 437

Re: Hooking the offical way?

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours
by Brock
Thu Aug 09, 2018 5:01 pm
Forum: Kernel-Mode Development
Topic: Hooking the offical way?
Replies: 8
Views: 437

Re: Hooking the offical way?

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.
by Brock
Sun Jul 15, 2018 6:31 pm
Forum: Kernel-Mode Development
Topic: Design Question
Replies: 1
Views: 368

Re: Design Question

Take a look at the Inverted Call Model. Instead of your usermode application using DeviceIoControl with a supplied IOCTL to the driver the driver queues event info to the usermode application, hence the name Inverted.
by Brock
Tue Jul 03, 2018 10:47 pm
Forum: User-Mode Development
Topic: Process Doppelganging
Replies: 7
Views: 10062

Re: Process Doppelganging

Interesting. Thanks for sharing Vrtule
by Brock
Wed May 23, 2018 11:32 pm
Forum: Kernel-Mode Development
Topic: why ExFreePool will blue screen
Replies: 3
Views: 1191

Re: why ExFreePool will blue screen

@lwbkm,

When you graduate to better understanding kernel memory allocation and general management you might also strongly consider, on Windows 8+ anyhow, using ExAllocatePool(NonPagedPoolNx, ...); or the newer compiler's opt-in flag instead of the NonPagedPool type. It's just a best practice is all
by Brock
Sat Apr 28, 2018 4:31 pm
Forum: Kernel-Mode Development
Topic: how to delete driver file and still Keep communication
Replies: 10
Views: 3040

Re: how to delete driver file and still Keep communication

Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.
by Brock
Thu Feb 22, 2018 10:27 pm
Forum: Kernel-Mode Development
Topic: ObRegisterCallbacks return 0xC0000022 error
Replies: 2
Views: 1868

Re: ObRegisterCallbacks return 0xC0000022 error

Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag
by Brock
Wed Dec 20, 2017 5:58 pm
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 5861

Re: How to redirect registry key in registry callback?

Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
by Brock
Wed Dec 20, 2017 8:26 am
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 5861

Re: How to redirect registry key in registry callback?

This should help you override and redirect the operation but I haven't tested it.

http://joyasystems.com/sample-code%2FWi ... s%2Fpost.c

*see example CallbackPostNotificationOverrideError()*