hi , I did a search on the internet but I could not find anything about Hook RtlCreateProcessParameters function. please help me
A forum for reverse engineering, OS internals and malware analysis
It's just a function. What is the problem? If you can't describe what you want again - just use google translate.
Ring0 - the source of inspiration
EP_X0FF wrote:just use google translate.I think we will experience same problem.
just simple google search give you many info about hooking :
http://lmgtfy.com/?q=hook+function+%20techniques
i think you just use SSDT before and now see this function is not in ssdt and ask what i must do - we have some other method to hook function
inline hooking :read old "rootkit subverting windows " book and "rootkit arsenal" and too many article :
http://lastfrag.com/hotpatching-and-inl ... explained/
http://jbremer.org/x86-api-hooking-demystified/
in general for inline hooking you must do :
user mode sample is in attachment
for kernel mode see m1gB0t, Greg Hoglund, 2004
http://lmgtfy.com/?q=hook+function+%20techniques
i think you just use SSDT before and now see this function is not in ssdt and ask what i must do - we have some other method to hook function
inline hooking :read old "rootkit subverting windows " book and "rootkit arsenal" and too many article :
http://lastfrag.com/hotpatching-and-inl ... explained/
http://jbremer.org/x86-api-hooking-demystified/
in general for inline hooking you must do :
user mode sample is in attachment
for kernel mode see m1gB0t, Greg Hoglund, 2004
Attachments
(1.48 KiB) Downloaded 46 times
@R00tkitSMM
