Hi all,

I just finished my first Kernel Mode Driver that does something useful (PsSetCreateProcessNotifyRoutine), using Four-F's KMDKIT package, and im stoked!

Forgive my excitement , I just had to tell someone. :)

Thanks Four-F for the tutorials and kit for masm, you the man!, or woman which ever the case may be.


packetvb
Posted on 2004-07-28 02:19:59 by packetvb
I'm sorry... but do you have a license to be excited? I sure don't see one in your signature.

Damn loose cannons. :D

Congratulations, anyhow.
Posted on 2004-07-28 06:41:32 by The Beginner
Originally posted by packetvb
Thanks Four-F for the tutorials and kit for masm, you the man!, or woman which ever the case may be.
A woman? No! I'm even not a girl ;)
Anyway, you are welcome!
Posted on 2004-07-28 08:33:22 by Four-F
packetvb, do you handle process create notification in the driver, or do you send on the notification to a usermode process? :)

Anyway, it might be nice to see what you've come up with, post code :p
Posted on 2004-07-28 08:37:57 by f0dder
Hi,

I must admit I was thinking of sending a thank you to Four-F recently as well... Not to embarass the poor guy or anything but.. :)

I've been coding KMD's in Masm since the tuts came out, vxd's before that, but recently I switched to Visual C for driver programming. I have to admit to *much* preferring C/C++ over Masm for writing drivers, though I'd probably never code a gui in it.

It was while I was struggling with the C/C++ syntax, typecasting and compiler, pretty much my first experience with it, on top of developing a C driver skeleton, when I realized how thankful I was that Four-F's tuts had taught me the basics and more of driver programming in general. I'm grateful in that it made the transition to C driver writing surprisingly painless ;)

Some may not know that Four-F has at least 12 KMD tutorials, in Russian except for the first 5, search and ye shall find. A translation isn't necessary, the code speaks volumes. The information on using Lookaside Lists for allocating small blocks of memory is an especially useful driver programming technique to learn.

Keep up the good work, and yes I too encourage the posting of interesting driver code...

Regards,
Kayaker
Posted on 2004-07-28 16:07:45 by Kayaker
No need to search, the page that houses the English versions of the KMD (http://www.masmforum.com/website/tutorials/kmdtute/index.html) contains a link to the Russian versions: http://wasm.ru/

Maybe that'll save you some time.
Spara
Posted on 2004-07-28 18:06:33 by SowWn
WARNING: The following text may contain spelling and/or gramatical errors. I rely on spellcheck which this computer doesnt have. :grin:


f0dder

packetvb, do you handle process create notification in the driver, or do you send on the notification to a usermode process?

Anyway, it might be nice to see what you've come up with, post code :p


Its handled in the driver and an event is set to notify usermode processes that data is ready.
I didnt think it was possible to use a proc in a usermode process for a callback in a driver. Am I mistaken?

I looked alot at how ProcObsrv in C by Ivo Ivanov was done for doing this one. So I guess it could be considered partly a translation from C to masm. Definetly got a better understanding of drivers than I did by doing it.

Also, Im having a problem with the executable. Im doing something wrong and I just cant seem to locate the bug. I currently have a B.S. messagebox before I do OpenProcess. If i remove this msgbox then the messagbox that shows the name of the process that started fails to show. Can anyone tell me what Im doing wrong here?

My next project is a bit more challanging, I want to hook NTCreateProcess so I can block certain programs from executing. Anyone got pointers for this. Ive already read up on how to get NativeID from Api address and Descriptor table.

Thanks

Packetvb

Oh yea, dont beat me up too bad on my coding as I still consider myself a novice. :)
Posted on 2004-07-29 01:30:47 by packetvb
Wopps forgot the source.

packetvb
Posted on 2004-07-29 01:33:00 by packetvb
Keeping with my last post.

I have been looking at invisibility driver source by yoda and I think im not understanding something correctly.
The native api ID is suppose to be an index into the function address chain of Service Descriptor Table.
So does this mean the address to overwrite is the address of the descriptor table + (nativeapiID * (16)).

packetvb
Posted on 2004-07-29 09:37:33 by packetvb
I'm not quite sure, since I only have a brief look at your source, but... At the moment you are signalling event you are in the early stage of process creation. Your user mode thread may be awaken too early - the process creation is still may be incomplete. So EnumProcessModules may fail.

Funny thing. Today I've finished 14'th article in which I do exactly the same - monitoring process creation/destruction. I hope it will be published on wasm.ru next week. I've attached it (without sources, sorry, wait the article release, please).
Posted on 2004-07-29 11:35:37 by Four-F
packetvb: i find the service descriptor table and such quite interesting too, do you know where to get documentation of it? i guess it won't be on msdn, but maybe in some article or (e)book?
Posted on 2004-07-29 15:59:40 by Mbee
Hi Four-F,

Why do you write tutorials on Russian instead on English?
Many more people could benefit from it if they were written on english.
Posted on 2004-07-29 17:51:39 by Mikky

Many more people could benefit from it if they were written on english

Four-F writes in both languages, IMHO in Russian first:
1. 'Cause it's easier to write for him since it's his native language.
2. Might be he cares firstly about Russians who can not benefit from it if it's written only in English.

As to me I stopped writing about Opcodes, logic and math in English, after couple people here explicitly said that they didn't like my English. Get our point right way - I didn't get offencive, but in one hand there were lots of Russian who asked me why I didn't write it in Russian for they'd better have it in more comprehencive language for them, on other hand I anyway couldn't satisfy request for better English for English speakers, and thirdly it took lots more time for articles output and for the above it seemed to that the spending didn't worth outcome. It's IMHO, Four-F can speak for himself, yet knowing him I can say that he already is doing additionary work for making the articles out in English, so here is no reason to harry him up - his's already doing what he can.

Four-F
I doesn't work in NT 4.0.
GetLongPathNameA is absent in kernel32.dll in NT 4.0
Posted on 2004-07-30 03:45:01 by The Svin
Originally posted by Mikky
Hi Four-F,
Why do you write tutorials on Russian instead on English?
Many more people could benefit from it if they were written on english.

Mikky, you know I'm Russian. So, my Russian is much more better than English :) Even considering that, writing the articles in my native language takes me very much time. And this is the only reason why I don't write in English. I've translated the first five articles and should say it was the hardest work I've ever done. 6'th and 7'th articles translated by masquer. 6'th can be found here: http://www.freewebs.com/four-f/index.htm 7'th will be pablished soon. Unfortunately I promise nothing. I don't know who, when and how will translate the rest.

The Svin, I know it doesn't work on NT4. The driver also can't be loaded because IoIsWdmVersionAvailable is absent on NT4, as far as I know. I've not planned to make it workable on this system. I'm sure it will be not so hard to port it to NT4. After reading the article, of course ;)
Posted on 2004-07-30 09:08:53 by Four-F
Hi Svin,
Well I don't agree with you.
First of all if everyone were writting on their native language we could never accomplish this current level of knowledge that we all have here. This board would have much less members and we all would have much less knowledge. What would have happend if Icezilion tutorials were written on his native language (assuming he is not native english speaker)?
Secondly, anyone who wants to understand computers, to be the part or to have career in the IT scene must learn english, that is the fact. Yea surly I would like that my language is the no#1 language in the world and in the IT, but it is not.
Finaly It's cool when someone writes tutorial and publish it for free, I appreciate and respect that effort esspecially when it really has quality and value like the 4F's tutorials, but the whole point of it is to share that knowledge with as many people as possible.

I think that people, who said to you that your english sux, don't really care about your tutorial or knowledge in it. If they don't like it then they shouldn't read it, who cares about them anyway. My english is not perfect too but you do understand what I am writting here, dont you :). Probably we would understand each other in speaking english too, with no problem since our slavonic languages are alike and we have similiar accent :tongue:
I am not pushing anyone here esspecially not people like Four-F and other great benefiters from this board (including you) it was just a suggestion.

Four-F, many thanks I'll check out 6th and 7th.
Posted on 2004-07-30 16:54:49 by Mikky
Originally posted by Mikky
Hi Svin,
Well I don't agree with you.
First of all if everyone were writting on their native language we could never accomplish this current level of knowledge that we all have here. This board would have much less members and we all would have much less knowledge. What would have happend if Icezilion tutorials were written on his native language (assuming he is not native english speaker)?
I believe someone would translate it into English. If the author don't want to write in English someone other should do translation. Writing in native language is much better as you can express everything you have to say much better (as a rule). If someone wants to make available it for English speaking public he should translate it from author's language to English. In this case it should be some English native speaker who knows Russian rather good to make more or less proper translation.
Secondly, anyone who wants to understand computers, to be the part or to have career in the IT scene must learn english, that is the fact.
Well the reality is that a lot of russians working in IT knows English enough to read manuals, but nevertheless prefer Russian over English if there is a possibility.
Finaly It's cool when someone writes tutorial and publish it for free, I appreciate and respect that effort esspecially when it really has quality and value like the 4F's tutorials, but the whole point of it is to share that knowledge with as many people as possible.
Writing articles is rather hard. Writing it in non-native languge is even more harder. To write you have to make much more efforts than to read. Personally I prefer to be more articles wrote by Four-F in Russian than less - in English :). But you have a point. Why don't you learn Russian (it is slavonic - it shouldnt be too hard for you) and translate to English? It is not as good as translation by native English speaker but it is better than nothing.
Posted on 2004-07-31 03:34:19 by Aquila
WARNING: The following text may contain spelling and/or gramatical errors. I rely on spellcheck which this computer doesnt have. :)

Hello Again.

The Svin, it very rude that someone would bash you on your english. I think you speak it pretty well. :)
Please dont be discuraged by aholes.

Four-F, appreciate the tranlations to english. I know its alot of work and you receive nothing in return besides praise and the appreciation from the members here. Again, you da man.

xlifewirex,
Look at Invisibility by yoda. I think Iczelion's webpage has it. He gives enough info.

As of now, im stoked x 2. I successfully hooked NtCreateProcess. :alright:

Cheers all.

Packetvb
Posted on 2004-07-31 03:34:21 by packetvb
astalavista babblefish translates your tutorials pretty damn well four-f, unfortunally wasm.ru is down for me :(.
Posted on 2004-07-31 17:02:59 by archphase
Originally posted by archphase
astalavista babblefish translates your tutorials pretty damn well four-f
It's very good :)

Originally posted by archphase
unfortunally wasm.ru is down for me :(.
It's very bad :(
Posted on 2004-08-01 10:26:21 by Four-F