Hello guys.

Now, i'm making a hooking program, which hooks a selected API function(like CreateFileA).
When i hook an API, all processes(Ring 3 level) that use the API will be routed to my new API, and then the original API will be serviced.

To make it possible, the host program (which selects an API to be hooked) communicates with a device driver, named 'HookDrv'.
The host program simply passes addresses of an original API(to be hooked) and a new API(our new API) to HookDrv.
HookDrv receives and then converts its address into physical memory address.
After converting, HookDrv writes a 'jmp instruction' in API entry point for jumping to the new API, and backup original instructions.

At this point, a problem is poped.

The host program works OK with above routines, but others may pop an error message.
Because, the new API is not mapped in others processes' memory.
The memory region of the new API is not locked(it can be paged out at any time), and not shared(other processes' page table has no information about this region.)

How can I map a memory region as LOCKED and SHAREABLE? Is there no way?

If there is no way, I'll serialize all reqeustes and when the host program has an chance to process that, HookDrv will pass the requestes.
But it will make Windows a fool. It is very slow. (maybe)

Has anyone have any ideas on this problem(LOCKED & SHAREABLE REGION)?

Posted on 2004-05-04 09:55:56 by Yeori
IIRC, this is not possible due to (illusion of) security.
Posted on 2004-05-04 10:56:02 by bitRAKE
Originally posted by Yeori
Has anyone have any ideas on this problem(LOCKED & SHAREABLE REGION)?

Yes, it is possible.
At least in the W2k/XP/2k3 with the help of device drivers.
But I can't publish this is this forum because I don't want this thread
to be deleted by some arbitrary moderator.

Hint: Use the undocumented kernel variable MmPfnDatabase
or play with the page tables.

Posted on 2004-05-04 13:03:06 by Opcode
Hm, it might be possible by allocating kernel mode memory... this should be mapped in all processes, but only accessible from ring0. The pagetables could then, I guess, be modified to allow ring3 access.
Posted on 2004-05-04 13:40:27 by f0dder