Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - [Kernel Driver] Get PspCreateThreadNotifyRoutine
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

[Kernel Driver] Get PspCreateThreadNotifyRoutine

 Post Reply Post Reply
Artur1338 View Drop Down

Joined: 11 August 2016
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Artur1338 Quote  Post ReplyReply Direct Link To This Post Topic: [Kernel Driver] Get PspCreateThreadNotifyRoutine
    Posted: 11 August 2016 at 7:40pm

i am doing an antirootkit driver at the moment, so i want to remove some NotifyCallbacks from another driver.
So what i wanna do is get the notifycallback adress and then unregister it.
For some reason on windows 10 my methode doesnt work and i get the wrong PspCreateThreadNotifyRoutine adress and land in the LoadImageCallbackList.
Maybe someone of you could give me a hint :

This is my code :
ULONG64 FindPspCreateThreadNotifyRoutine()
     ULONG64               i=0,pCheckArea=0;
     UNICODE_STRING     unstrFunc;
     RtlInitUnicodeString(&unstrFunc, L"PsSetCreateThreadNotifyRoutine");
     pCheckArea = (ULONG64)MmGetSystemRoutineAddress (&unstrFunc);
     DbgPrint("PsSetCreateThreadNotifyRoutine: %llx",pCheckArea);
          if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d)     //lea rcx,xxxx
               LONG OffsetAddr=0;
               return OffsetAddr+7+i;
     return 0;

void EnumCreateThreadNotify()
     int i=0;
     BOOLEAN b;
     ULONG64     NotifyAddr=0,MagicPtr=0;
     ULONG64     PspCreateThreadNotifyRoutine=FindPspCreateThreadNotifyRoutine();
     DbgPrint("PspCreateThreadNotifyRoutine: %llx",PspCreateThreadNotifyRoutine);
          if(MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr!=0)
               NotifyAddr=*(PULONG64)(NotifyAddr & 0xfffffffffffffff8);

Regards Artur1338
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.