EasyHook kernel mode newbie

Oct 23, 2009 at 4:29 PM

Hi all ,

 

I have started playing with the kernel mode example in the EasyHookSys.sln/TestDriver project. The first thing I did was to set up windbg , then I modified the function RunTestSuite in file testsuite.c to add some print statements as follows (prefixed with >>) -

1)

NTSTATUS RunTestSuite()
{
    HOOK_TRACE_INFO            hHook = { NULL };
    NTSTATUS                NtStatus;
    ULONG                   ACLEntries[1] = {0};
    UNICODE_STRING            SymbolName;
    KTIMER                    Timer;
    BOOLEAN                    HasInterface = FALSE;
    PFILE_OBJECT            hEasyHookDrv;

    FORCE(EasyHookQueryInterface(EASYHOOK_INTERFACE_v_1, &Interface, &hEasyHookDrv));

    HasInterface = TRUE;

>>    DbgPrint (("entering runtestsuite\n"));

................

2)

BOOLEAN KeCancelTimer_Hook(PKTIMER InTimer)
{
    PVOID                    CallStack[64];
    MODULE_INFORMATION        Mod;
    ULONG                    MethodCount;

>>    DbgPrint (("entering hooked KeCancelTimer\n"));
    
    Interface.LhBarrierPointerToModule(0, 0);

    Interface.LhBarrierCallStackTrace(CallStack, 64, &MethodCount);

    Interface.LhBarrierGetCallingModule(&Mod);

    return KeCancelTimer(InTimer);
}

 

when i run the project UnmanagedHook in the examples directory  I get  the following print out -

 

entering runtestsuite

 

Where as I was expecting -

 

entering runtestsuite

entering hooked KeCancelTimer

 

Moreover When I run the UnmanagedHook project again no further printout occur. I would be interested in the reason behind this. Note that I havnt changed anything in the code but print statements.

 

Thanks in advance

 

Niladri Bose