You are saying cross check..again, we come to the device io control...TDL3 infect driver detection to sample code?
A forum for reverse engineering, OS internals and malware analysis
How this screenshot is related to heuristic detection of TDL3/4? Alex has already given you the entire Xuetr detection route.
Ring0 - the source of inspiration
Where do I use this routines? I don't write driver for detector. I need a example to detector driver.. Trying to tell it...
Where do I use this routines?In driver, since to list driver/device objects you need to touch kernel memory.
I need a example to detector driver..Copy-pasting is not welcomed. Show your work. Currently I only see nonsense screenshots with OllyDbg.
I don't write driver for detectorThen what you do?
Ring0 - the source of inspiration
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
.if I can do it != I want to sample
invoke DbgPrint, $CTA0("This is my work.
")
mov I'mProgramer, FALSE
.endif
.if I'mProgramer == FALSE
invoke DbgPrint, $CTA0(" HELP ")
.endif
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
.if I can do it != I want to sample
invoke DbgPrint, $CTA0("This is my work.
")mov I'mProgramer, FALSE
.endif
.if I'mProgramer == FALSE
invoke DbgPrint, $CTA0(" HELP ")
.endif
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
Oh I see. Forget about TDL. You are too inexperienced for it. You should start from something simpler. And the first step should be abandon ASM as language for drivers developing. See http://www.kernelmode.info/forum/viewto ... f=14&t=374 as one of the start points. Thread has exhausted itself and closed.
Ring0 - the source of inspiration