|
|
|
|
#1
01-07-2005, 19:44
|
|||
|
|||
|
Let me describe exactly what I want.
I'm about to suspend some protection threads in XTreme protector kernel-driver, to make another Ring-0 dumper be able to dump the process memory. Regards OMID 
|
|
#2
01-08-2005, 10:34
|
|||
|
|||
|
are these threads spawned by the driver (PsCreateSystemThread) or by the EXE application (which, afaik, as elevated privileges and has access to some ring-0 memory pages such as the IDT & the Xprotector driver).
Perhaps you could look into patching the driver directly or hooking PsCreateSystemThread.
|
|
#3
01-09-2005, 12:59
|
|||
|
|||
This snippet will lower the IRQL (not nec unless in DISPATCH_MODE or greater, but safe if you're not sure). Create an event and then wait for it (infinitely). As the event never gets triggered, the thread will never run again *sniff ;(, poor thread*. If you do want it to run at a later time, simply trigger the event.
LARGE_INTEGER TotalTime = {0,0}; KeLowerIrql(0); KeInitializeEvent(&NonEvent, NotificationEvent, FALSE); status = KeWaitForSingleObject( &NonEvent, Executive, //Suspended, KernelMode, TRUE, &TotalTime ); Hope this helps, WCFF
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code | sh3dow | Source Code | 0 | 05-12-2016 03:15 |
| Use IDA in kernel mode ?? | Veyskarami | General Discussion | 14 | 02-23-2013 12:38 |
| How to pass the large data in kernel mode to user mode? | benina | General Discussion | 3 | 03-06-2010 04:50 |
| Kernel-Mode GUI!? (like SoftIce) | Cobi | General Discussion | 1 | 01-21-2005 02:24 |
| Kernel Mode Driver for NT | SPeY | General Discussion | 12 | 04-22-2004 15:34 |
Hybrid Mode
