From: Vadim Smirnov [vsmirnov@pcausa.com]
Sent: Thursday, April 04, 2002 9:38 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Hooking system call from driver.

Sometimes it can be necessary, but you'd better try to avoid using it.
Kernel image protection can be removed as the following:

// Disable kernel image protection (Windows 2000/XP specific)
__asm
{
	mov  ebx , cr0  ;		get Cr0 regiter
	push ebx        ;		save it
	and ebx , ~0x10000 ;	clear WP bit
	mov cr0 , ebx  ;		efectivly disable write protection
}

// Put your patching code here

// Reenable kernel image protection
__asm
{
	pop ebx          ;	restore it
	mov cr0 , ebx    ;	enable previous CPU state.
}

BR,
Vadim
http://www.ntndis.com

-----Original Message-----
From: bounce-ntdev-6615@lists.osr.com
[mailto:bounce-ntdev-6615@lists.osr.com]On Behalf Of Andy LaRocco
Sent: Thursday, April 04, 2002 6:22 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Hooking system call from driver.


So, can I take that to mean you don't think it's a good idea?  :)

andy

-----Original Message-----
From: bounce-ntdev-8288@lists.osr.com
[mailto:bounce-ntdev-8288@lists.osr.com]On Behalf Of Mark Roddy
Sent: Thursday, April 04, 2002 9:06 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Hooking system call from driver.


That isn't a system call its a kernel api. The way to do this is to 'patch'
the function itself with a call to your depraved hook routine. Good luck on
that, and don't forget that w2k and later protect kernel code space from
write operations.

"Andy LaRocco" <larocco1@charter.net> wrote in message news:25986@ntdev...
>
> Hi,
> How would you hook a system call like IoInvalidateDeviceRelations from a
> driver?
>
> thanks
> Andy
>
>
>
>



---
You are currently subscribed to ntdev as: larocco1@charter.net
To unsubscribe send a blank email to %%email.unsub%%



---
You are currently subscribed to ntdev as: vsmirnov@pcausa.com
To unsubscribe send a blank email to %%email.unsub%%


---
You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com
To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com