원본 : http://www.themssforum.com/Drivers/File-System-104809/
Will not work on x64 Vista/2008, also note that NtReadFile hook will not catch
paging IO.
- Maxim Shatskih, Windows DDK MVP
Using a SSDT hook driver for this is incredibly irresponsible. First as Max
pointed out, it will not work for X64, and it will not catch paging I/O.
Also, getting these right is harder than one thinks, and is likely to
destabilize the system. Also, the driver will immediately be flagged as
MALWARE. Following such a path for file operations that are easily
catchable with approved ways, is beyond stupid.
- Don Burn (MVP, Windows DDK)
This can be done with a mini-filter and Microsoft provides one FileSpy that
meets most of the OP's needs. Get the WDK and take a look.
I don't think SSDT hook driver look like malware. Too many HIPS
software are using this technology.
Mini-filter driver maybe is the best way to done this case.
And some not all of these are special cased in the MALWARE detection.
Bottom lime is you cannot hook and unhook safely and it is a damaging
practice that hopefully Microsoft will block in 32 bit someday as well as 64
bit.
결국은 미니 필터 드라이버, WDK에 새로 추가된 미니필터 드라이버를 공부해 보도록 해야겠다.
자료가 별로 없는게 단점이지만 WDK에 minifilter예제들이 있으므로 그걸참고로 해야할듯 -ㅁ-;
Will not work on x64 Vista/2008, also note that NtReadFile hook will not catch
paging IO.
- Maxim Shatskih, Windows DDK MVP
Using a SSDT hook driver for this is incredibly irresponsible. First as Max
pointed out, it will not work for X64, and it will not catch paging I/O.
Also, getting these right is harder than one thinks, and is likely to
destabilize the system. Also, the driver will immediately be flagged as
MALWARE. Following such a path for file operations that are easily
catchable with approved ways, is beyond stupid.
- Don Burn (MVP, Windows DDK)
This can be done with a mini-filter and Microsoft provides one FileSpy that
meets most of the OP's needs. Get the WDK and take a look.
I don't think SSDT hook driver look like malware. Too many HIPS
software are using this technology.
Mini-filter driver maybe is the best way to done this case.
And some not all of these are special cased in the MALWARE detection.
Bottom lime is you cannot hook and unhook safely and it is a damaging
practice that hopefully Microsoft will block in 32 bit someday as well as 64
bit.
결국은 미니 필터 드라이버, WDK에 새로 추가된 미니필터 드라이버를 공부해 보도록 해야겠다.
자료가 별로 없는게 단점이지만 WDK에 minifilter예제들이 있으므로 그걸참고로 해야할듯 -ㅁ-;