 |
This approach was suggested by Derek Soeder could be quite reliable
as an IRQL migration component. The basic concept would be to
resolve and hook hal!KfRaiseIrql. Inside the hook routine,
a check could be performed to see if the current IRQL is passive
and, if so, run the rest of the payload. However, as Derek points
out, one of the problems with this approach would center around the
method used to hook the function considering it'd be somewhat
expensive to do a detours-style preamble hook (although it's fairly
easy to disable write protection). Still, this approach shows a
good line of thinking that could be used to get to a safe IRQL.
|