Hey guys I'm new here and I had a simple question.
Is there some way of calling RtlCreateProcessParameters() (or any other Rtl* functions for that matter) from a kernel mode driver or must it be self-simulated?
Is there some way of calling RtlCreateProcessParameters() (or any other Rtl* functions for that matter) from a kernel mode driver or must it be self-simulated?
Most of the Rtl functions internally make calls to Zw functions with similar names and params.
Following these, you'll invariably land at an "int 2e" which is a bridge for userland processes to call kernel code.
You'll have to be VERY careful with your parameter checking, should you choose to trap this interrupt on the kernel side.
Following these, you'll invariably land at an "int 2e" which is a bridge for userland processes to call kernel code.
You'll have to be VERY careful with your parameter checking, should you choose to trap this interrupt on the kernel side.
So essentially I would go through its disassembled code and rewrite it any user code I find (delve a bit deeper to rewrite some Rtl functions it uses) to run in the kernel.