Re: Hooking IRPs
- From: "Doron Holan [MS]" <doronh@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 27 May 2006 14:06:09 -0700
even if you bypass filemon, i can set a bp on your driver's read/write
dispatch routines and see the data.
d
--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5E659985-C877-4988-9228-8457DA360F42@xxxxxxxxxxxxxxxx
Yes it is security concern. Tools like filemon can be used for example to
catch reading/writting product key from/to file.
Peter
"Don Burn" wrote:
Filemon is just a file system filter driver, trying to hide from such a
driver would break the system completely. I assume this is a security
concern, but the only way to run Filemon is with priviledges to load
drivers, once you are in the kernel there is no security from other
kernel
components.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:57AC307D-E5F8-4CDB-B4D6-55FF93415394@xxxxxxxxxxxxxxxx
Tools like filemon hooks IRPs sent to file system driver. I dont know
details, but it seems that does not exist way to hide Read/Write
operations
from such tools ?
Peter
.
- References:
- Re: Hooking IRPs
- From: Don Burn
- Re: Hooking IRPs
- Prev by Date: Re: KMDF USB: Safely handling multiple child requests
- Next by Date: Re: Getting drops on IM filter driver
- Previous by thread: Re: Hooking IRPs
- Next by thread: Getting drops on IM filter driver
- Index(es):
Relevant Pages
|
