Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Hooking Object Type Initializer Procedures

One theoretical way that could be used to migrate to a safe IRQL would be to hook into one of the generalized object type initializer procedures associated with a specific object type, such as nt!PsThreadType or nt!PsProcessType4.3. The method taken to do this would be to first resolve one of the exported object types and then alter one of the procedure attributes, such as the OpenProcedure, to point into a buffer that contains the payload to execute. The payload could then make a determination on whether or not it's safe to execute based on the current IRQL. It may also be safe, in some cases, to to assume that the IRQL will be PASSIVE_LEVEL for a given object type procedure. Matt Conover also describes how this can be done in his Malware Profiling and Rootkit Detection on Windows paper[1]. Thanks to Derek Soeder for suggesting this approach.