flat assembler
Message board for the users of flat assembler.
Index
> Windows > Illusion Driver |
Author |
|
Pirata Derek 09 Jan 2010, 07:43
The following driver is a hooking SSDT NT kernel one that change the output of the ZwQueryDirectoryFile native api execution.
In windows XP, it simply change its name (it will use also the ? char!) and if you make a refresh, it become a directory. Only if you Stop the driver service it will return in its original state. A simple restart will delete the driver from memory. In windows SEVEN it only change some informations about the size and others, but seems with no particular effect. Why? The attachment's screenshot show you what it does in windows XP.
|
|||||||||||
09 Jan 2010, 07:43 |
|
Pirata Derek 09 Jan 2010, 15:24
oh, yes, thanks
but i think is not for this problem. May be the FILE_DIRECTORY_INFORMATIONS structures are differents.... |
|||
09 Jan 2010, 15:24 |
|
ouadji 09 Jan 2010, 17:34
no, of course ! I was not talking about this problem. |
|||
09 Jan 2010, 17:34 |
|
ouadji 09 Jan 2010, 17:46
From WDK 6001.18002 (XP/Vista) Code: typedef struct _FILE_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; WCHAR FileName[1]; } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; you should look in the latest WDK, compatible with "Win7" ... to see if this structure is different for Win7 |
|||
09 Jan 2010, 17:46 |
|
Pirata Derek 09 Jan 2010, 18:20
I also have the last WDK for windows XP and Vista.
I followed that documentation, infact in XP it works good. (i don't want test it in Vista, it sucks for me) The same functionalities, adapted to theese structures, should work in seven, but it don't. I still don't know why. For this reason i called that driver: XP illusion.... |
|||
09 Jan 2010, 18:20 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.