![]() Hooking DeviceIoControl is a common method to intercept information fetches from drivers such as the disk driver ( disk.sys) for disk information or the network driver ( ndis.sys) for adapter information. These driver objects can be manipulated directly in memory (direct kernel object modification) for any number of reasons, but the specific exploitation that this article revolves around is the modification of the major function IRP_MJ_DEVICE_CONTROL, known as the I/O handler. One common integrity check is the verification of individual driver objects. These are prevalent to make sure that the operating system’s main functionality has not been tampered. Ensuring (system) integrity is an important detail in software security products such as anti-cheats or anti-viruses.
0 Comments
Leave a Reply. |