Api Hooking w/ Device Driver

I was wondering if anybody has some resources about hooking api's thru ring0, i would rather not overwrite code, i was thinking about setting a page guard, and when it hits, catch it thru the driver, and go from there, anybody else has any ideas or resources ?

Thanks.

[Shub-Nigurrath]

depends on what are you trying to do on what O.S...HW BPs might also be good for these things..

Quote:

Originally Posted by Peter[Pan]

I was wondering if anybody has some resources about hooking api's thru ring0, i would rather not overwrite code, i was thinking about setting a page guard, and when it hits, catch it thru the driver, and go from there, anybody else has any ideas or resources ?

Thanks.

Take a look at:
http://www.sysinternals.com/

And use regmon95 source. you will find 2 source:
1 - sys file src. 2- application src.

By changing it you can write APIMon very easy.

appreciated! i didnt even think about that application, it slipped my mind

[N0P]

try look at this > http://www.bindview.com/Services/RAZOR/Utilities/Windows/strace_readme.cfm

it comes with source code ...

[FEARHQ]

I was actually contemplating hooking file and registry api's using ring0 driver, under NT5+, using WDM and ring0, and though of filemon and regmon as a good base. I'm looking to write up a small "application firewall" that would allow me to permit or deny access to registry keys or files. A neat final project for an undergraduate degree no? Only problem is, I can't seem to find the regmon, filemon or apimon source code. I'd much rather hook through ring0 than anything else, but if anything I'm open to suggestions/alternatives/input/whatever. If anyone has any advice on what I should read up I'd appreciate it

What about take a look in the www.rootkit.com sources?

[taos]

Quote:

Originally Posted by Shub-Nigurrath

depends on what are you trying to do on what O.S...HW BPs might also be good for these things..

do you have any example or tut? I'm interested in this method.

Regards.