Re: Alternative to system service dispatch table (SSDT) patching in Win64
- From: "Don Burn" <burn@xxxxxxxxxxxxxxxx>
- Date: Thu, 3 Nov 2005 12:03:09 -0500
First, join the NTFSD newsgoup at http://www.osronline.com. Second join the
Vista beta, and download the WDK see
http://www.microsoft.com/whdc/driver/WDK/betaWDK.mspx. Finally, consider
taking the OSR class on file systems
http://www.osr.com/seminars_dfsw2_5dl.cfm.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
"CharlesT" <charleshlt@xxxxxxxxxxxxxxxx> wrote in message
news:OzuMQeJ4FHA.476@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks Don - that's got to be the record for quickest answer to one of my
> msdn posts.
>
> Can you recommend a good place to start reading up on file system
> mini-filters? I had a quick look in the DDK docs & didn't see much.
>
> Regards, Charles
>
>
> "Don Burn" <burn@xxxxxxxxxxxxxxxx> wrote in message
> news:eHO9EWJ4FHA.3588@xxxxxxxxxxxxxxxxxxxxxxx
>> Yes you are going to need a file system filter. This is the blessed way
>> of doing this. The good news is that with Vista you do not need to buy
>> the IFS kit, it is included in the WDK (the Vista equivalent of the DDK),
>> and provides backward compatibility to Windows 2000. The other piece of
>> good news, is that Microsoft recently released a new model for file
>> system filters, called mini-filters. This reduces (but far from
>> eliminates the pain) of writing a file system filter.
>>
>> When you do this replace your curremt code that hooks the system calls.
>> Many firms I know are running things like the SysInternals Rootkit
>> Revealer and rejecting software that does hooking. Hooking the call
>> table is unsafe.
>>
>>
>> --
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>>
>> "CharlesT" <charleshlt@xxxxxxxxxxxxxxxx> wrote in message
>> news:%23QQFtOJ4FHA.2552@xxxxxxxxxxxxxxxxxxxxxxx
>>> I'm familiar with the technique of patching the system service dispatch
>>> table to monitor system calls such as ZwOpenFile in kernel mode, and am
>>> aware that this technique will not be feasible on Win64 and Windows
>>> Vista systems.
>>>
>>> I was wondering if there's a feasible (and obeying-the-rules, good
>>> citizen) alternative that can be used on Win64 and Vista. We want to
>>> monitor processes that open and read from certain files of interest to
>>> us. Would a file system filter driver do the trick?
>>>
>>> Regards, Charles
>>>
>>>
>>
>>
>
>
.
- References:
- Prev by Date: Re: Alternative to system service dispatch table (SSDT) patching in Win64
- Next by Date: Re: disabling filter driver in safe mode
- Previous by thread: Re: Alternative to system service dispatch table (SSDT) patching in Win64
- Next by thread: Re: Alternative to system service dispatch table (SSDT) patching in Win64
- Index(es):
Relevant Pages
|
