Thread: SST Hook -> Bluescreen!?
View Single Post
  #1  
Old 01-01-2005, 00:04
Cobi Cobi is offline
Friend
  
Join Date: Sep 2004
Location: Germany
Posts: 55
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Cobi Reputation: 0
SST Hook -> Bluescreen!?
Hi there,
For educational purpose (?) i want to code a File/Regmon Clone, with the same method of SystemServiceTable Hooking described in "Undocumented Windows NT" but when i try to Patch i get a Bluescreen "DRIVER_IRQL_NOT_LESS_OR_EQUAL" !?
Code:
extern	PSERVICE_DESCRIPTOR_TABLE	KeServiceDescriptorTable;
#define	SYSTEMSERVICE(_function)	KeServiceDescriptorTable->ntoskrnl.ServiceTable[*(PULONG)((PUCHAR)_function+1)]

_asm cli;
(NTCREATEFILE)(SYSTEMSERVICE(ZwCreateFile)) = NewZwCreateFile; // <---#HERE#
_asm sti;
The System crashes directly when i try to Patch.
Is the Table in WinXP write protected or whats going on?
The whole source is attached.
Happy new Year @all
-Cobi
Attached Files
File Type: rar Fmon.rar (10.8 KB, 15 views)
Reply With Quote