A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32612  by FrankoooEFC
 Sat Feb 23, 2019 12:46 am
am really in need of help because i can't think about it anymore , am not trying to ssdt hook this time. but what i want to do is to hook a function with iat hooking so it can execute my code then return it back to what it was. i got 2 problems atm

1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.

2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .

thanks in advance hope that someone would explain this to me
 #32616  by Vrtule
 Sat Feb 23, 2019 1:04 pm
Hello,
1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.
well, drivers are stored as PE files, so IAT hooking should work the same way as in usermode.
2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .
You can communicate without IOCTLs but it is more difficult to implement. For example, you can use shared memory (section/filemapping objects) to exchange data. IOCTLs are probably the easiest thing.

Alternatively, you can create a device object for driver object not belonging to you driver and hook necessary IRP dispatch routines of that driver. But Patchguard will not be happy with this in some cases.