SST Hook -> Bluescreen!?

You're passing UserMode on a buffer that comes from Kernel-Mode.

How am I passing anything from UserMode? I am creating my own handle in kernel-mode to pass on to the original ZwCreateFile. Absolutely touching nothing coming from user-mode. The address of my kernel-mode allocated handle that I am passing is _valid_ for kernel-mode and not a user-mode buffer.

[Cobi]

If i understand you right you want to pass a File-Handle created by your Kernel-Mode Process to a User-Mode Process, so you could edit the File-Object and change its owner.
(ObObjectRefferenceByHandle or smth.)

Actually no. I am hooking ZwCreateFile, within the hooked function for ZwCreateFile that I created I am trying to call the original ZwCreateFile with all attributes allocated IN kernel-space and utilized IN kernel space. Absolutely NOTHING to do with user-mode other than interceding in the middle of a user-mode application attempting to open a file. Not in anyway shape or form attempting to pass anything back to user-mode.

Quote:

Originally Posted by thewhiz

Actually no. I am hooking ZwCreateFile, within the hooked function for ZwCreateFile that I created I am trying to call the original ZwCreateFile with all attributes allocated IN kernel-space and utilized IN kernel space. Absolutely NOTHING to do with user-mode other than interceding in the middle of a user-mode application attempting to open a file. Not in anyway shape or form attempting to pass anything back to user-mode.

check out KTHREAD.PreviousMode, probably that's cause of your problem. normally you'd have to re-enter the kernel thru the Zw APIs, but since that's what you hooked you'll need some extra logic in there to pass such calls directly down (or mock with PreviousMode directly).