GamingMasteR wrote:I think Vrtule meant by "deep copy" is that IO manager will only copy the passed structure but not the buffer it points to, try including the APINAME/MODULENAME buffers inside API_HOOK_SSDT instead of pointing to them.Yes, that's exactly what I ment.
A forum for reverse engineering, OS internals and malware analysis
Tigzy wrote:[00:08:0986] [SSDT] Iterate refApi : (0x9f0732c) 0x6456744e, refModule : (0x9f0712c) 0x6e6f436dHere you can see the fields of the object passed to KM relocated up in the kernel (adresses with high ranges)
0x6456744e = "NtVd"
0x6e6f436d = "mCon"
("NtVdmControl"?)
Pointer misuse :D
