Re: Copying a kernel routine
- From: "Don Burn" <burn@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 29 Dec 2007 18:07:52 -0500
OH, lets see, you are going to modify the page table, but not the internal
databases the OS creates with them, that is great MALWARE that will likely
crash the system, so you don't need to be stopping MALWARE you are that
CRAP.
If you need a kernel like routine, design your own, but of course as I said
in the first message it is not just code, you have to worry about global
data. Sorry from what I have seen approaches like yours destabilize the
system worse than the junk they are supposed to protect us from.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Hummingbird" <Hummingbird@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DB563E74-2151-4636-9201-B3FDAAEDD8B3@xxxxxxxxxxxxxxxx
Hi, Thanks for respond.
Well, i am writing a anti-malware software actually. As you know, they use
hooks and modify the Windows kernel to hide and protect themself.
You are right, Relocation is a problem. I can use something like
LdrRelocateImageWithBias (I mean write another one myself since it's not
exported), but that's means I have to copy the whole ntoskrnl.exe to the
pool.
About the execute bit, I guess we can set it manually since we are in Ring
0, just like the CR0 register. I don't know if i am right. But maybe
that's
not recommanded by Microsoft.
"Don Burn" wrote:
Bad idea in general, first if this is a modern processor it won't work
since
the paged area will not have the execute bit. Second, the code is
linked
to a location, how are you going to determine the reloc's (this is where
a
full disassembler comes in handy). Third how do you know if the code
does
not depend on external factors that you cannot control.
Why do you think you need this? What function do you think you will be
able
to diddle at the binary level?
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Hummingbird" <Hummingbird@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BCB81727-C855-4B33-9F06-FB7C62377923@xxxxxxxxxxxxxxxx
Hi everyone.
I wants to make some changes to a kernel routine and use it by myself
(which
means other drivers in the system can not use this new routine and
those
chages will not affect other drivers)
What i am thinking is i can allocate a non-paged pool, and copy the
whole
routine to this pool, modify it and call it by the pointer to the pool.
I don't know if i am right. And here is another problem: how can i know
the
size of the whole routine? Do i need a small disassembler in my driver
or
something?
Many Thanks.
.
- References:
- Re: Copying a kernel routine
- From: Don Burn
- Re: Copying a kernel routine
- From: Hummingbird
- Re: Copying a kernel routine
- Prev by Date: Re: Copying a kernel routine
- Next by Date: Re: Scope of UMDF
- Previous by thread: Re: Copying a kernel routine
- Next by thread: Re: Copying a kernel routine
- Index(es):
Relevant Pages
|
