Hello,
I am trying to hot-patch certain functions from ndis.sys. As a starting point I used
sebek's hooking code which seems to work for NDIS <5 or <6. Here is (roughly)
what the code looks like:
ndis_base = find_system_dll():
ZwQuerySystemInformation to find the base address of the system module of interest
print_export(ndis_base):
parse/search/print NT header-data dictionary for the address of the function of interest
hook_functions(ndis_base, "NdisSendNetBufferLists"):
parse/search/modify NT header-data dictionary for the address of the function of interest
print_export(ndis_base):
parse/search/print NT header-data dictionary for the address of the function of interest
In action:
[hooking] find_system_dll: NDIS.sys; base = 0x88883000; size = 0xb7000
[hooking] print_export: function NdisSendNetBufferLists is @ 0x888ebc2a
[hooking] print_export: function NdisMSendNetBufferListsComplete is @ 0x888ebe66
[hooking] hook_ndis: NdisSendNetBufferLists: old: 0x888e8c2a new: 0x94b07170
[hooking] hook_ndis: NdisMSendNetBufferListsComplete: old: 0x888e8e66 new: 0x94b071c0
[hooking] print_export: function NdisSendNetBufferLists is @ 0x94b07170
[hooking] print_export: function NdisMSendNetBufferListsComplete is @ 0x94b071c0
Later on, if NdisSendNetBufferLists is called, the old address of 0x888ebc2a can be seen in windbg:
kd> g
Breakpoint 7 hit
ndis!NdisSendNetBufferLists:
888ebc2a 8bff mov edi,edi
Why does this not work?
Thanks in advance!
I am trying to hot-patch certain functions from ndis.sys. As a starting point I used
sebek's hooking code which seems to work for NDIS <5 or <6. Here is (roughly)
what the code looks like:
ndis_base = find_system_dll():
ZwQuerySystemInformation to find the base address of the system module of interest
print_export(ndis_base):
parse/search/print NT header-data dictionary for the address of the function of interest
hook_functions(ndis_base, "NdisSendNetBufferLists"):
parse/search/modify NT header-data dictionary for the address of the function of interest
print_export(ndis_base):
parse/search/print NT header-data dictionary for the address of the function of interest
In action:
[hooking] find_system_dll: NDIS.sys; base = 0x88883000; size = 0xb7000
[hooking] print_export: function NdisSendNetBufferLists is @ 0x888ebc2a
[hooking] print_export: function NdisMSendNetBufferListsComplete is @ 0x888ebe66
[hooking] hook_ndis: NdisSendNetBufferLists: old: 0x888e8c2a new: 0x94b07170
[hooking] hook_ndis: NdisMSendNetBufferListsComplete: old: 0x888e8e66 new: 0x94b071c0
[hooking] print_export: function NdisSendNetBufferLists is @ 0x94b07170
[hooking] print_export: function NdisMSendNetBufferListsComplete is @ 0x94b071c0
Later on, if NdisSendNetBufferLists is called, the old address of 0x888ebc2a can be seen in windbg:
kd> g
Breakpoint 7 hit
ndis!NdisSendNetBufferLists:
888ebc2a 8bff mov edi,edi
Why does this not work?
Thanks in advance!
