Re: Import Address Table of .SYS driver
From: Don Burn (burn_at_stopspam.acm.org)
Date: 05/17/04
- Next message: Dan Morrison: "DDK build 1173"
- Previous message: Pavel A.: "Re: Import Address Table of .SYS driver"
- In reply to: Gary Chapman: "Import Address Table of .SYS driver"
- Next in thread: Gary Chapman: "Re: Import Address Table of .SYS driver"
- Reply: Gary Chapman: "Re: Import Address Table of .SYS driver"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 17 May 2004 12:28:51 -0400
Gary,
Take a look at PsSetLoadImageNotifyRoutine this will give you the image
base in the kernel address space. As Pavel pointed out the problem is that
it will not give you all the data you may want, since some of these things
are macros that generate inline code.
-- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply "Gary Chapman" <none@none.no> wrote in message news:opr75gh0fs2p1re9@netech... > I wish to hook into the upper and lower edge of a network miniport driver > for analysis purposes. The aim is to obtain enough correlating data from > both edges to determine how to control the ISA network card in a > standalone microcontroller based device in the absence of a manufacturers > data-*** (I'm making a homebrew device to perform network stress-testing > and generate variable traffic for testing QOS configurations) I've > managed to get over 50 ISA NICS cheaply at auction for my little > enterprise but they are not NE2000 compatibles apparently. Hence the > problem. > > > An intermediate driver would give me the upper edge but not the lower and > I am not realy comfortable wrapping NDIS or HAL. Since the .SYS file has > a regular PE header with Import Address Table I figure that'd be a good > way to hook the functions I need cleanly and without too much coding > overhead. > > The problem I have is in getting a handle on nicdriver.sys as I have only > ever patched IAT on user-mode applications where a handle was readily > available. Does anyone know of a good method of locating the .sys and > setting the appropriate permissions to edit the IAT ? > > Like I say, I have done this in userland and I presume it is also possible > in kernel mode - I just need to wrangle appropriate access to the .sys, > after that I'm back on familiar ground. > > > Any advice, comments or links greatly appreciated. > > Many many thanks, > > > GC > -- > Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
- Next message: Dan Morrison: "DDK build 1173"
- Previous message: Pavel A.: "Re: Import Address Table of .SYS driver"
- In reply to: Gary Chapman: "Import Address Table of .SYS driver"
- Next in thread: Gary Chapman: "Re: Import Address Table of .SYS driver"
- Reply: Gary Chapman: "Re: Import Address Table of .SYS driver"
- Messages sorted by: [ date ] [ thread ]
Loading
