Thread Barrier on KiSwapContext

May 5, 2009 at 10:07 AM

Seems that the thread deadlock barrier does not work while removing hooks on KiSwapContext. How to solve this issue?


May 5, 2009 at 12:17 PM
Well the thread deadlock barrier is only for protecting hooks, not to remove them. What are you trying to do?
May 5, 2009 at 12:40 PM
Edited May 5, 2009 at 12:41 PM
I hooked KiSwapContext for fun. But easyhook can't remove the hook. Another question can I hook KiSystemService with easyhook?
May 5, 2009 at 2:30 PM
> But easyhook can't remove the hook.

EasyHook is only able to remove a hook if no other thread is accessing it. Especially in kernel mode the hook can not be removed atomically because it is always larger than a native Integer. In kernel mode there is no easy way to "suspend" all other threads and since KiSwapContext is called on every thread switch, speaking it is called always, there is simply no way to remove it in any secure way. Just leave the hook as it is, remember that you already have a hook for this function and reuse it the next time instead of applying another one...

I know this guy "KiSystemService" from old times, but now I have no idea what it is... If it is a usual method and you know the calling convention you sure will be able to hook it!