Kernel API hooking
Posted on 2009-04-21
I need to write something like antivirus, but designed to protect a single application. I need to create a system-wide function hook via kernel driver (I'm not interested in methods such as global dll injection etc, as they're not safe enough). Unfortunetely, I'm not able to find anything about it on Google... not even a single example of hooking a single function. My point is to hook functions such as Read/WriteProcessMemory.
I've heard about few methods of hooking via kernel driver. Some of them mean patching the target function in all applications (like we would do using dll injection) and some of them require patching just a single address in Call Table (but I couldn't find any examples for this one). I need a reliable method of hooking which won't miss even a single call, and as far as I know, the 2nd which I've mentioned would be the best.
But well, my knowledge on this subject is horrible and that's why I'm asking. Probably there are better ways to achieve it and I'd be thankful for any directions.
So summarizing, I need some examples (preferably C++) of how to hook functions from kernel driver and some directions, what is the best way to do it :) The support for win 2k is not obligatory, XP and Vista is just fine :)
If something is unclear, feel free to ask :) Thanks in advance for your help.