Index
> Windows > NATIVE API INTERCEPTOR (last pages)Goto page Previous 1, 2, 3, 4 |
| Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands) | |||||||||||||||||||||
|
|||||||||||||||||||||
| Total Votes : 17 |
| Author |
|
|
Pirata Derek 14 Jul 2009, 14:35
is 7z format still so rare?
i tought it is automatically included in many archives programs I compressed it with 7z because the output file size is smaller than the zip so i can save space in my personal upload/download quota... (now i'm near 50% and publishing files will full all my remained quota) Ok, i'll change the package, but i advice you to try IZARC Freeware For me it is better than winzip or winrar because it has: *.zip,*.rar,*.iso,*.7z,*.lib,*.deb,.......... ect formats included Once installed you don't need others |
|||
14 Jul 2009, 14:35 |
|
|
f0dder 23 Jul 2009, 14:07
1) sysinternals' sync.exe when doing driver development (and ideally a virtual machine or dedicated testbox)
2) source control/revision system 3) backups |
|||
|
23 Jul 2009, 14:07 |
|
|
Pirata Derek 23 Jul 2009, 16:39
Thanks f0dder.
What programming language does Mark R. use to make sysinternal's programs so small? C+ or a kind of High ASM ??? |
|||
|
23 Jul 2009, 16:39 |
|
|
windwakr 23 Jul 2009, 17:19
looks like C++, I see the text "Microsoft Visual C++ Runtime Library" in the sync executable. I wouldn't really call 146kB small.
|
|||
|
23 Jul 2009, 17:19 |
|
|
Pirata Derek 23 Jul 2009, 17:34
Consider that i downloaded Sync.exe and it is 40 KB and the 70% of size is the license text data.
Also TCPView is 200 KB but about the 25% is data and NULL bytes, so there's 150 KB of code. IT isn't bigger neither smaller. I think the FASM one can be 50 KB (only code i intend) PS: what use have the NULL_subs? Sometime when disasembling i find the NULL_subs: Code: NULL_sub: ret Are they useless, only to waste clock cycles? |
|||
|
23 Jul 2009, 17:34 |
|
|
windwakr 23 Jul 2009, 19:24
PIRATA, the zip file is 40kB....the actual executable is 146kB! And 70% of it is not the license data.
|
|||
|
23 Jul 2009, 19:24 |
|
|
Pirata Derek 24 Jul 2009, 10:04
Oh, yes. i was distracted
TCPview.exe is correct. |
|||
|
24 Jul 2009, 10:04 |
|
|
Pirata Derek 25 Jul 2009, 12:37
This is the NATIVE API INTERCEPTOR.
i made it in one day. It has the driver that intercepts and checks all system call throught SYSENTER. There's the library that comunicate with the driver when it is loaded into kernel pool, and offers export functions for any programs. All functions work, but only one thing: When the driver intercepts a system call it goes into the offset of the user-mode dispatch routine (there is a function that set it), but seems system puts the old interceptor process image into a page and it disappears from RAM, so driver IRETD go into a null code area and cause a stupid error. I have to find a way to set the interceptions dispatch routine resident in memory (it doesn't change its linear address) How should i do to let interceptions pass to user-mode program?
|
|||||||||||
|
25 Jul 2009, 12:37 |
|
|
Borsuc 25 Jul 2009, 14:35
Pirata Derek wrote: Ok, i'll change the package, but i advice you to try IZARC Freeware _________________ Previously known as The_Grey_Beast |
|||
|
25 Jul 2009, 14:35 |
|
|
Pirata Derek 27 Jul 2009, 07:03
To me?
I prefer One program that support multiple purposes (generally). IZARC is a multi-archives manager. |
|||
|
27 Jul 2009, 07:03 |
|
|
Pirata Derek 27 Jul 2009, 09:07
I resolved the first problem in the NATIVE API INTERCEPTOR.
It now Interceptor driver uses KePulseEvent to allert user-mode interceptor library. After driver allert, WaitForSingleObject function in library will return with signaled state, and then control pass to the monitoring program. eh, eh... that's an IDEA 
The new version is coming soon |
|||
|
27 Jul 2009, 09:07 |
|
|
Borsuc 27 Jul 2009, 21:05
7-Zip FM can handle many different formats, and has an "Ultra" compression mode that surpasses compression even for Gzip better than gzip.exe.
In short, it compresses better gzip format better than gzip.exe does. _________________ Previously known as The_Grey_Beast |
|||
|
27 Jul 2009, 21:05 |
|
|
Pirata Derek 04 Aug 2009, 12:43
The KePulseEvent always make a Bug check error!
Code: ... ; some driver code invoke KePulseEvent,[Library_event],NO_INCREMENT,FALSE ... Library_event rd 1 ; the handle passed from library when syncronizating The handle of EVENT parameter is the same direct returned value from CreateEvent function in the native api hooking library. SHOULD I DUPLICATE THIS HANDLE SO DRIVER USES THE DIFFERENT LIBRARY ONE THAT REFERS TO THE SAME EVENT ? How the interceptor works: 1) The interceptor driver is loaded and activated into kernel pool. The library sends the commands to driver via "FastDriverCall" procedure. 2) Library checks the driver echo (to test FastDriverCall function) 3) Library creates its allarm event (used to signal any system call hooks to library) and sends its event handle to driver (syncronization phase) 4) Library sends the values of system call driver will hook. 5) Finally the library ENABLE the interceptions. During interceptions the driver do: 1) Checks if EDX = 0 (it means the system call is a library command) 2) If it is a command then driver completes the requested command. 3) Else driver check if EAX (the native api number) is in the hook list 4) If isn't in the hook list then relases execution to NT kernel 5) else driver checks if it is BUSY (another hook is pending) 6) if busy then relases execution to nt kernel. 7) else it saves all the system call informations and pulse the library event  after signaling the hook it waits until the library allow or deny the execution |
|||
|
04 Aug 2009, 12:43 |
|
| Goto page Previous 1, 2, 3, 4 < Last Thread | Next Thread > |
Forum Rules:
|