Search found 7 matches
- Fri Aug 11, 2023 2:03 am
- Forum: madCodeHook
- Topic: Cannot load driver in safe mode
- Replies: 9
- Views: 24116
Re: Cannot load driver in safe mode
Hello, I modified this code to load MCH driver and printed the error code. https://github.com/GitMirar/DriverLoader/blob/master/DriverLoader/DriverLoader.cpp I also tried Process Hacker, which produced a similar error. Error 1084: This service cannot be started in Safe Mode. Please take a look at al...
- Fri Aug 11, 2023 1:00 am
- Forum: madCodeHook
- Topic: Cannot load driver in safe mode
- Replies: 9
- Views: 24116
Re: Cannot load driver in safe mode
Hello Iconic, The NtLoadDriver also failed with this error. 0xC000035F STATUS_NOT_SAFE_MODE_DRIVER I also found this statement on msdn. If the system is running in safe mode, and the driver fails to load because it is not on the safe mode list, ZwLoadDriver returns STATUS_SUCCESS. So I think the fai...
- Thu Aug 10, 2023 11:10 pm
- Forum: madCodeHook
- Topic: Cannot load driver in safe mode
- Replies: 9
- Views: 24116
Re: Cannot load driver in safe mode
Hi Iconic, I have already added madcodehook driver' name under these two registry keys. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network The sys file is also in the system32\drivers folder. I don't know what's g...
- Thu Aug 10, 2023 12:41 pm
- Forum: madCodeHook
- Topic: Cannot load driver in safe mode
- Replies: 9
- Views: 24116
Cannot load driver in safe mode
Hi, I notice that I cannot load madcodehook driver in safe mode, even the proper registry key are created under minimal and network. Using sc command also doesn't help. I have one mini filter and one network filtering driver in my software, which both can be auto started successfully in safe mode. I...
- Sat Nov 06, 2021 8:05 am
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8092
Re: About hooking SHFileOperation
Hi Iconic, I've tried to hook related APIs in both kernelbase.dll and kernel32.dll, but none of them get called. I'm very doubt SHFileOperation in win7 uses a publicly known file copy function internally. I've also tried to use IDA pro and windbg to trace the function call, but can't find any clue. ...
- Wed Nov 03, 2021 2:46 am
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8092
Re: About hooking SHFileOperation
Hi Iconic, Thank for your reply. I have no idea what the CFileOperation class looks like and how to hook its method. I can't find any infomation on the web. From API monitor, I can see CoCreateInstance is called with this interface id {5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}. I think it's probably the...
- Tue Nov 02, 2021 3:00 pm
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8092
About hooking SHFileOperation
Hi, I need to inject some app and hook the SHFileoperation api. Actually, I need to apply a rule based on each file to decide which one is allowed to be copied. SHFileOperation can copy several file and folders all together, so it’s very hard to handle. I need a lower level API to hook. On Windows 1...