c++ - Calling NtQuerydirectoryFile from a Kernel Hook Crashes the Kernel -

-

i'm using latest version of easyhook hook kernel functions. did setup debugging important on windows 8.1 64-bit based virtual machine, , tested hooking both of ntquerydirectoryfile , ntquerysysteminformation in user mode , ntquerysysteminformation in kernel mode without problem.

my current problem hooking ntquerydirectoryfile using same code used user mode hook, fails when call original function giving me access violation error. i'm using following code kernel mode hook:

ntstatus ntquerydirectoryfile_hook(     __in handle filehandle,     __in_opt handle event,     __in_opt pio_apc_routine apcroutine,     __in_opt pvoid apccontext,     __out pio_status_block iostatusblock,     __out_bcount(length) pvoid fileinformation,     __in ulong length,     __in file_information_class fileinformationclass,     __in boolean returnsingleentry,     __in punicode_string filename optional,     __in boolean restartscan     ) {     ntstatus status;     status = ntquerydirectoryfile(filehandle, event, apcroutine, apccontext, iostatusblock, fileinformation, length, fileinformationclass, returnsingleentry, filename, restartscan);     return status; }

as mentioned before, original trampoline jump modified rax register, replaced trampoline:

50                             push   rax 48 b8 00 00 00 00 00 00 00 00  mov rax, 0x0 48 87 04 24                    xchg   qword ptr [rsp],rax c3                             ret

in addition fixing function rely on hard-coded size of trampoline jump code since newer version bigger. it's working without problem.


Comments

Post a Comment

Popular posts from this blog

c# - How Configure Devart dotConnect for SQLite Code First? -

-
can configure following sample code ? when run following code, error : no entity framework provider found ado.net provider invariant name 'devart.data.sqlite' setting in machine.config <system.data> <dbproviderfactories> <add name="dotconnect sqlite" invariant="devart.data.sqlite" description="devart dotconnect sqlite" type="devart.data.sqlite.sqliteproviderfactory, devart.data.sqlite, version=4.6.287.0, culture=neutral, publickeytoken=09af7300eec23701" /> </dbproviderfactories> </system.data> after add below block code in app.config <?xml version="1.0"?> <configuration>   <configsections> <!-- more information on entity framework configuration, visit http://go.microsoft.com/fwlink/?linkid=237468 --> <section name="entityframework" type="system.data.entity.internal.configfile.entityframeworksection, entit...
Read more

java - Copying object fields -

-
what best way of copying classes when need have 2 independent variables? have simple class: public class myclass { boolean = false; string b= "not empty"; } do need make method : assign(myclass data ) { a= data.a; b= data.b; } is there automatic method copy (duplicate) objects in java? do need make method : pretty close. instead of making method, should make constructor. such constructors called copy constructor , , create them this: myclass(myclass data) { = data.a; b = data.b; } and create copy of instance, use constructor this: myclass obj1 = new myclass(); myclass obj2 = new myclass(obj1); copy constructor can tedious : using copy constructor create deep-copy can tedious, when class has mutable fields. in case, assignment create copy of reference, , not object itself. have create copy of fields (if want deep copy). can go recursive. a better way create deep copy serialize , deserialize object. why not use clone()? ...
Read more

c++ - Clear the memory after returning a vector in a function -

-
i have function processes , stores lot of data in , returns results vector of class. amount of data stored in function tremendous , want clear storage memory of function after finished job. necessary (does function automatically clear memory) or should clear memory function? update: vector<customers> process(char* const *filename, vector<int> id) { vector<customers> list_of_customers; (perform actions) return list_of_customers; } variables defined locally within function automatically released @ end of function scope. destructors objects called, should free memory allocated objects (if objects coded correctly). example of such object std::vector . anything you've allocated new must have corresponding delete release storage. try avoid doing own allocation , use raii instead, i.e. containers or smart pointers.
Read more