KeServiceDescriptorTable issue

Hello all. I need to implement a fast hook for some I/O system service calls,
like ZwCreateFile, ZwWriteFile, . . . . I don't have the time to write a FS
Filter Driver, my app really needs to come out pretty fast. I thought of
using the KeServiceDescriptorTable hook method. I've read some posts on OSR
and no one really recommended this method. I believe that if I stick to some
really simple things in the hooks, and only hook few functions, the driver
will work fine.
Can you support, that or suggest something else.

Don
Sat Jul 19 07:52:01 CDT 2008

By the time you handle all the edge conditions, parameter validation,
customization for various OS/service pack changes, etc thinking of hooking
as a FAST way to do anything is a falacy. You have not said what you want
to do but mini-filters are not that terrible and then they will work. Your
solutuon will not work on 64-bit, be problematical whenever a service pack
or hotfix is released, and permenantly brand your product as MALWARE.

If you want the details to the problems you face, look at the answer already
given to your posing on NTDEV.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply




"Bercea Gabriel" <Bercea Gabriel@discussions.microsoft.com> wrote in message
news:D9631B0F-3F91-4FDA-96D2-085A17359F7B@microsoft.com...
> Hello all. I need to implement a fast hook for some I/O system service
> calls,
> like ZwCreateFile, ZwWriteFile, . . . . I don't have the time to write a
> FS
> Filter Driver, my app really needs to come out pretty fast. I thought of
> using the KeServiceDescriptorTable hook method. I've read some posts on
> OSR
> and no one really recommended this method. I believe that if I stick to
> some
> really simple things in the hooks, and only hook few functions, the driver
> will work fine.
> Can you support, that or suggest something else.

Maxim
Sat Jul 19 14:58:57 CDT 2008

Note that you cannot hook paging IO from Notepad or so.

The proper solution is FltMgr's minifilter, sorry. Quick-and-dirty hacks
cannot work reliably.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"Bercea Gabriel" <Bercea Gabriel@discussions.microsoft.com> wrote in message
news:D9631B0F-3F91-4FDA-96D2-085A17359F7B@microsoft.com...
> Hello all. I need to implement a fast hook for some I/O system service calls,
> like ZwCreateFile, ZwWriteFile, . . . . I don't have the time to write a FS
> Filter Driver, my app really needs to come out pretty fast. I thought of
> using the KeServiceDescriptorTable hook method. I've read some posts on OSR
> and no one really recommended this method. I believe that if I stick to some
> really simple things in the hooks, and only hook few functions, the driver
> will work fine.
> Can you support, that or suggest something else.

David
Sat Jul 19 19:23:41 CDT 2008

Yes, you can use quick and dirty hacks. It has several advantages:

1. Promotion - you will be done with something that will pass a minimal QA
so quickly they will promote you (maybe just a job title change with no
raise in pay, but it helps on the next job search).
2. Ego boost - you will be able to tell all your coworkers and friends you
got a multi man-year job done in a few weeks.
3. Job security - you will NEVER be done fixing the edge cases
4. Experience - you can leverage the above to get the time to do it
correctly or maybe contract it out with you as the manager (just don't tell
your contractor it was you that wrote the hook based piece of garbage).


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:e9Njind6IHA.4596@TK2MSFTNGP03.phx.gbl...
> Note that you cannot hook paging IO from Notepad or so.
>
> The proper solution is FltMgr's minifilter, sorry. Quick-and-dirty
> hacks
> cannot work reliably.
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
> "Bercea Gabriel" <Bercea Gabriel@discussions.microsoft.com> wrote in
> message
> news:D9631B0F-3F91-4FDA-96D2-085A17359F7B@microsoft.com...
>> Hello all. I need to implement a fast hook for some I/O system service
>> calls,
>> like ZwCreateFile, ZwWriteFile, . . . . I don't have the time to write a
>> FS
>> Filter Driver, my app really needs to come out pretty fast. I thought of
>> using the KeServiceDescriptorTable hook method. I've read some posts on
>> OSR
>> and no one really recommended this method. I believe that if I stick to
>> some
>> really simple things in the hooks, and only hook few functions, the
>> driver
>> will work fine.
>> Can you support, that or suggest something else.
>

Maxim
Sun Jul 20 08:55:47 CDT 2008

> 1. Promotion - you will be done with something that will pass a minimal QA
> so quickly they will promote you (maybe just a job title change with no
> raise in pay, but it helps on the next job search).
> 2. Ego boost - you will be able to tell all your coworkers and friends you
> got a multi man-year job done in a few weeks.
> 3. Job security - you will NEVER be done fixing the edge cases
> 4. Experience - you can leverage the above to get the time to do it
> correctly or maybe contract it out with you as the manager (just don't tell
> your contractor it was you that wrote the hook based piece of garbage).

When the flow of issues from customers will become very huge, it will turn out
that most of them are unfixable. This does not help 1 for sure, and probably
does not help 2-3-4 too (especially if the management will get the knowledge
that their product is based on dirty hacks).

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Don
Sun Jul 20 09:16:53 CDT 2008

Except of course that firms that do this in the first place are the ones who
also have "continuation engineering groups", where the managers and
developers who produced the crap shovel it off to others to maintain.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:e53bRBn6IHA.3480@TK2MSFTNGP03.phx.gbl...
>> 1. Promotion - you will be done with something that will pass a minimal
>> QA
>> so quickly they will promote you (maybe just a job title change with no
>> raise in pay, but it helps on the next job search).
>> 2. Ego boost - you will be able to tell all your coworkers and friends
>> you
>> got a multi man-year job done in a few weeks.
>> 3. Job security - you will NEVER be done fixing the edge cases
>> 4. Experience - you can leverage the above to get the time to do it
>> correctly or maybe contract it out with you as the manager (just don't
>> tell
>> your contractor it was you that wrote the hook based piece of garbage).
>
> When the flow of issues from customers will become very huge, it will turn
> out
> that most of them are unfixable. This does not help 1 for sure, and
> probably
> does not help 2-3-4 too (especially if the management will get the
> knowledge
> that their product is based on dirty hacks).
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>

Alexander
Sun Jul 20 09:55:04 CDT 2008


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:e53bRBn6IHA.3480@TK2MSFTNGP03.phx.gbl...
>
> When the flow of issues from customers will become very huge, it will turn
> out
> that most of them are unfixable. This does not help 1 for sure, and
> probably
> does not help 2-3-4 too (especially if the management will get the
> knowledge
> that their product is based on dirty hacks).
>

Oh, they just blame it on "it's Windows, don't you know? What you expect? no
BSODs?"