driver without an object

Ask your beginner questions here.
Post Reply
FrankoooEFC
Posts: 3
Joined: Wed Feb 20, 2019 6:09 pm

driver without an object

Post by FrankoooEFC » Sat Feb 23, 2019 12:46 am

am really in need of help because i can't think about it anymore , am not trying to ssdt hook this time. but what i want to do is to hook a function with iat hooking so it can execute my code then return it back to what it was. i got 2 problems atm

1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.

2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .

thanks in advance hope that someone would explain this to me

User avatar
Vrtule
Posts: 464
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: driver without an object

Post by Vrtule » Sat Feb 23, 2019 1:04 pm

Hello,
1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.
well, drivers are stored as PE files, so IAT hooking should work the same way as in usermode.
2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .
You can communicate without IOCTLs but it is more difficult to implement. For example, you can use shared memory (section/filemapping objects) to exchange data. IOCTLs are probably the easiest thing.

Alternatively, you can create a device object for driver object not belonging to you driver and hook necessary IRP dispatch routines of that driver. But Patchguard will not be happy with this in some cases.

FrankoooEFC
Posts: 3
Joined: Wed Feb 20, 2019 6:09 pm

Re: driver without an object

Post by FrankoooEFC » Tue Feb 26, 2019 6:48 pm

thanks i guess i will go with sharedmem then :(

Post Reply