[FrankoooEFC]

am really in need of help because i can't think about it anymore , am not trying to ssdt hook this time. but what i want to do is to hook a function with iat hooking so it can execute my code then return it back to what it was. i got 2 problems atm

1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.

2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .

thanks in advance hope that someone would explain this to me

[Vrtule]

Hello,

1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet.

well, drivers are stored as PE files, so IAT hooking should work the same way as in usermode.

2 - how could i pass ioctl code back and forth to my usermode app without creating a device object so i know i need to open a handle like for ex : (.\\.\mydrivernamehere) but is there is any other way of doing that .

You can communicate without IOCTLs but it is more difficult to implement. For example, you can use shared memory (section/filemapping objects) to exchange data. IOCTLs are probably the easiest thing.

Alternatively, you can create a device object for driver object not belonging to you driver and hook necessary IRP dispatch routines of that driver. But Patchguard will not be happy with this in some cases.

[FrankoooEFC]

thanks i guess i will go with sharedmem then :(