EasyHook kernel mode newbie

Oct 23, 2009 at 4:29 PM

Hi all ,


I have started playing with the kernel mode example in the EasyHookSys.sln/TestDriver project. The first thing I did was to set up windbg , then I modified the function RunTestSuite in file testsuite.c to add some print statements as follows (prefixed with >>) -


NTSTATUS RunTestSuite()
    HOOK_TRACE_INFO            hHook = { NULL };
    NTSTATUS                NtStatus;
    ULONG                   ACLEntries[1] = {0};
    UNICODE_STRING            SymbolName;
    KTIMER                    Timer;
    BOOLEAN                    HasInterface = FALSE;
    PFILE_OBJECT            hEasyHookDrv;

    FORCE(EasyHookQueryInterface(EASYHOOK_INTERFACE_v_1, &Interface, &hEasyHookDrv));

    HasInterface = TRUE;

>>    DbgPrint (("entering runtestsuite\n"));



BOOLEAN KeCancelTimer_Hook(PKTIMER InTimer)
    PVOID                    CallStack[64];
    ULONG                    MethodCount;

>>    DbgPrint (("entering hooked KeCancelTimer\n"));
    Interface.LhBarrierPointerToModule(0, 0);

    Interface.LhBarrierCallStackTrace(CallStack, 64, &MethodCount);


    return KeCancelTimer(InTimer);


when i run the project UnmanagedHook in the examples directory  I get  the following print out -


entering runtestsuite


Where as I was expecting -


entering runtestsuite

entering hooked KeCancelTimer


Moreover When I run the UnmanagedHook project again no further printout occur. I would be interested in the reason behind this. Note that I havnt changed anything in the code but print statements.


Thanks in advance


Niladri Bose