Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - [Kernel Driver] Get PspCreateThreadNotifyRoutine
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

[Kernel Driver] Get PspCreateThreadNotifyRoutine

 Post Reply Post Reply
Author
Message
Artur1338 View Drop Down
Newbie
Newbie


Joined: 11 August 2016
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Artur1338 Quote  Post ReplyReply Direct Link To This Post Topic: [Kernel Driver] Get PspCreateThreadNotifyRoutine
    Posted: 11 August 2016 at 7:40pm
Hey,

i am doing an antirootkit driver at the moment, so i want to remove some NotifyCallbacks from another driver.
So what i wanna do is get the notifycallback adress and then unregister it.
For some reason on windows 10 my methode doesnt work and i get the wrong PspCreateThreadNotifyRoutine adress and land in the LoadImageCallbackList.
Maybe someone of you could give me a hint :

This is my code :
ULONG64 FindPspCreateThreadNotifyRoutine()
{
     ULONG64               i=0,pCheckArea=0;
     UNICODE_STRING     unstrFunc;
     RtlInitUnicodeString(&unstrFunc, L"PsSetCreateThreadNotifyRoutine");
     pCheckArea = (ULONG64)MmGetSystemRoutineAddress (&unstrFunc);
     DbgPrint("PsSetCreateThreadNotifyRoutine: %llx",pCheckArea);
     for(i=pCheckArea;i<pCheckArea+0xff;i++)
     {
          if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d)     //lea rcx,xxxx
          {
               LONG OffsetAddr=0;
               memcpy(&OffsetAddr,(PUCHAR)(i+3),4);
               return OffsetAddr+7+i;
          }
     }
     return 0;
}

void EnumCreateThreadNotify()
{
     int i=0;
     BOOLEAN b;
     ULONG64     NotifyAddr=0,MagicPtr=0;
     ULONG64     PspCreateThreadNotifyRoutine=FindPspCreateThreadNotifyRoutine();
     DbgPrint("PspCreateThreadNotifyRoutine: %llx",PspCreateThreadNotifyRoutine);
     if(!PspCreateThreadNotifyRoutine)
          return;
     for(i=0;i<64;i++)
     {
          MagicPtr=PspCreateThreadNotifyRoutine+i*8;
          NotifyAddr=*(PULONG64)(MagicPtr);
          if(MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr!=0)
          {
               NotifyAddr=*(PULONG64)(NotifyAddr & 0xfffffffffffffff8);
               DbgPrint("[CreateThread]%llx",NotifyAddr);
          }
     }
}

Regards Artur1338
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.