Let's talk about kernel and drivers

morph3us.org

Quicksearch

Categories

Syndication

XML RSS 1.0 feed
XML RSS 2.0 feed
ATOM/XML ATOM 1.0 feed
XML RSS 2.0 Comments

Tagged entries

Top Referers

www.google.at (4)
www.google.de (4)
www.google.com (3)
forum.grauezelle.net (2)
search.msn.com (1)
www.google.bg (1)
www.google.ca (1)
www.google.ch (1)
www.google.com.vn (1)

Let's talk about kernel and drivers

  (Friday, October 21. 2005)
holy father (hf) the author of the famous Hacker Defender (hxdef) rootkit for Windoze NT systems offers a new driver coding tutorial on his site (http://hxdef.org/knowhow.php) . He plans to release a new part of the tutorial once a week for a while (circa 12 weeks IIRC). This tutorial is really worth reading for all people who are interested in this topic because this kind of information is rarely found in such great manner and this guy definitely knows about what he talks.

Here some information about the currently available parts of the tutorial:
  • Intro (27.08.2005) Today just introduction paper for upcoming Driver coding tutorial. Every saturday for several weeks new part of this tutorial will be released. For those who want to learn some basics of coding this intro brings some important references to very basic driver tutorials that should be read before starting reading this one.
  • Hook1 (03.09.2005) Very simple driver that just sends debug messages.
  • Hook2 (10.09.2005) hook2 is basic hook driver, it hooks ZwOpenProcess in SDT. Hook can be seen in DebugView.
  • Hook3 (17.09.2005) hook3 is driver with sample device extension and communication with user mode application using DeviceIoControl. It maintains a list of rules for pids in device extension but does nothing with the list yet.
  • Hook4 (24.09.2005) hook4 protects processes on IOCTL demand using hooks for ZwOpenProcess and ZwOpenThread.
  • Hook5 (01.10.2005) hook5 protects processes using hooks for ZwOpenProcess and ZwOpenThread, when a process protection is requested all its threads are also protected.
  • Hook6 (08.10.2005) hook6 protects processes using hooks for ZwOpenProcess and ZwOpenThread, when a process protection is requested all its threads are also protected. If there is an active rule for some process and this process terminates with ZwTerminateProcess, the rule is deleted. But probably the most important code in this part is generic PID from EPROCESS in compat.cpp.
  • Hook7 (15.10.2005) hook7 extends hook6 as usual. For protected processes the access is not automatically denied, instead of returning access denied driver sends notification to user mode application and it asks user whether or not to permit the access. Implementation of the notification is using asynchronous IO.

Check out the references section of the first part named Intro:

Driver Development - Tutorial by Toby Opferman

.have phun
Posted by in Windows at 01:44
Defined tags for this entry: , , ,
Related entries by tags:
Strange pings and broken Windows services
New external 400GB USB2 harddisk drive
Why Windows is less secure than GNU/Linux
Welcome Vista - Goodbye Windows
Unaddressed DoS vulnerabilities in IE 6 SP2
o2 XDA Trion rocks :)
"Killing" Windows's system process
"Exploiting" Windows Spider Solitaire
Finding hidden drivers in Windoze NT
Windoze 03 Server SP1 DDK
Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed