Hi, madshi, and everyone,
I ended up coming here after discovering that one of security related app running in my system is loading mchInjDrv, which found to be VERY suspecious, because it was loaded from a temporary path! (Why are you hiding your driver ?)
Well, after downloading and looking at your library, I found this package to be REALLY GREAT! Now I am considering of using it my self.
By the way, presently, I am looking for something that can help me to hook kernel mode API's, I.E. the ZwXXX functions, and EVERYTHING that is exported by ntoskrnl.exe and HAL.dll. I know there is a way to hook the ZwXXX functions by patching the system service table, but this is not what I want. (Because they can be easily detected and unhooked from the user mode by accessing \\device\\physicalmemory). What I want is something that can insert a jump at entry of the "real" ZwXXX (NtXXX) function, so I will never miss a hook. Unfortunately, I cannot find any resources as how to implement this type of hook in the kernel mode.
Do you have any plan to make a kernel mode support version of madCodeHook? Or do you know of any documents or resouces that describes the detour-method hooking in the kernel mode?
Kernel mode hooking
Re: Kernel mode hooking
I think he uses this driver for detecting new executions under winNT (& injecting) ofr SystemWide hookslinden wrote:Hi, madshi, and everyone,
I ended up coming here after discovering that one of security related app running in my system is loading mchInjDrv, which found to be VERY suspecious, because it was loaded from a temporary path! (Why are you hiding your driver ?)
Re: Kernel mode hooking
Simply to make life for you programmers easy. You call InjectLibrary and that madCodeHook uses a driver for that internally is something you can forget about.linden wrote:Why are you hiding your driver ?
I've no plans for that. If you want to do real kernel mode hooking, perhaps EliCZ' kernel mode hooking library is of use for you?linden wrote:Do you have any plan to make a kernel mode support version of madCodeHook? Or do you know of any documents or resouces that describes the detour-method hooking in the kernel mode?