Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


Hooking KfRaiseIrql

This approach was suggested by Derek Soeder could be quite reliable as an IRQL migration component. The basic concept would be to resolve and hook hal!KfRaiseIrql. Inside the hook routine, a check could be performed to see if the current IRQL is passive and, if so, run the rest of the payload. However, as Derek points out, one of the problems with this approach would center around the method used to hook the function considering it'd be somewhat expensive to do a detours-style preamble hook (although it's fairly easy to disable write protection). Still, this approach shows a good line of thinking that could be used to get to a safe IRQL.