Re: SysHook and STATUS_ACCESS_VIOLATION
- From: Gian-Luca <GianLuca@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 1 Jul 2005 07:10:01 -0700
Dear Don,
thank's for your beautifull answer ;)
I've decided to use Hooking for some reasons:
- My company is specialized to make application, born to be single client,
working in a Terminal server env
- Hooking is the only (an suggested by your colleagues) way to do this, and
the MS is selling a library to do this
- Ms Hooking's Library is not ok, because cuold create a series of bug
(tested by me)
- In order to make our SW working in the best manner, I'm testing the Device
driver's way
- I've to hook other Zw Function (ZwopenKey was only an example), Windows
has callback for other Zw?
and finally, from IFS Help (about CmRegisterCallback):
"...This routine is available on Microsoft Windows XP and later operating
systems.."
and even if MS would let die win2000, our's customers have it on their
server ;)
XP, 2003 and longhorn have a big LIVING father.
So, before write so much STUPID, probably you have to listen my answer, ok?
If you can answer me, I'll give you all the info you asked.
Thank's anyway.
"Don Burn" wrote:
> First any system hooking is STUPID, it is likely to crash the system.
> Second, registry hooking is REALLY STUPID since there are callback routines
> (see CmRegisterCallback) that provide a mechanism for supporting this stuff.
>
>
> If you want to do this, at least give us enough data to show what could be
> wrong. You state you allocate memory, in what pool? How did you set up
> your OBJECT_ATTRIBUTE structure, etc.
>
> As a final request, as I ask for all IDIOTS who do something as REALLY
> REALLY STUPID AS HOOKING, please tell us your company and product, so we can
> be sure to avoid it at all costs.
>
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> "Gian-Luca" <GianLuca@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:33BC9768-26F5-4DA4-9BF5-86C24FA929F4@xxxxxxxxxxxxxxxx
> > Hi,
> >
> > Recently I've attempt to write a driver in order to hook any registry
> > access
> > using the KeServiceDescriptorTable and then subst the table entry with my
> > function.
> > If I use the this code only for logging (ie. RegMon) it's all ok, but if I
> > try to modify the parameter all the Zwxx function give me a
> > STATUS_ACCESS_VIOLATION:
> >
> > for example:
> >
> > - if the key that the application want to open is
> > \Registry\Machine\Software\Test
> > I create (ExAllocatePool) a new POBJECT_ATTRIBUTES and relative
> > PUNICODE_STRING
> >
> > - then I call the RealZwOpenKey (the real KeServiceDescriptorTable's
> > function)
> >
> > but If I do so the function give me the error.
> >
> > But, If I dehook the ZwOpenKey and the I call ZwOpenKey the Fn is Ok.
> > But dehooking this Fn isn't good (some access could be lost).
> >
> > It seems that the real ZwOpenKey's code can't or don't want access the
> > memory allocated by the driver...
> >
> > thank's
>
>
>
.
- Follow-Ups:
- Re: SysHook and STATUS_ACCESS_VIOLATION
- From: Don Burn
- Re: SysHook and STATUS_ACCESS_VIOLATION
- References:
- SysHook and STATUS_ACCESS_VIOLATION
- From: Gian-Luca
- Re: SysHook and STATUS_ACCESS_VIOLATION
- From: Don Burn
- SysHook and STATUS_ACCESS_VIOLATION
- Prev by Date: Re: SysHook and STATUS_ACCESS_VIOLATION
- Next by Date: Re: SysHook and STATUS_ACCESS_VIOLATION
- Previous by thread: Re: SysHook and STATUS_ACCESS_VIOLATION
- Next by thread: Re: SysHook and STATUS_ACCESS_VIOLATION
- Index(es):
Relevant Pages
|
