Windows 7 driver hooking

My question is regarding driver development for Windows 7.

I need to intercept system calls to a driver. Theoretically in such cases it's recommended to create a filter driver, however in my case the driver doesn't expose a filter-compatible interface. It's a Vista/7 display miniport driver to be exact.

Display driver is loaded as a standard WDM driver. In its DriverEntry it's expected to call a DxgkInitialize system routine (exported by win32k.sys I guess). My goal is to intercept this call.

Can anyone suggest me any useful source I can find information about how to achieve this?

The key to the victory is probably replacing the DxgkInitialize within the driver executable import section with the address of my function. The problem is that this should be done after the executable is loaded (mapped + relocated if necessary + all the import table entries are prepared), but before the driver's entry point is invoked.

I thought about the following options:

• Map the executable into the system memory and "prepare" it manually (i.e. do the work of the loader). Then patch the needed function(s) and run the entry point.
• With some effort ZwSetSystemInformation can be used for module loading (?)
• Maybe patch the export section of the m开发者_如何学运维odule that exports DxgkInitialize. So that the loader automatically will redirect every loaded module into my hands.

Thanks in advance.

You don't provide a business reason for this, so I'd hesitate to say something harsh. But you should reconsider your technological approach if it involves hooking calls.

The steps I'd take would probably include:

1. Who exports DxgkInitialize? Don't guess win32k, look it up. (I won't give you the answer). Maybe you can easily hook the callee and not the caller.

2. Do I have any callbacks of when a driver module is loaded but before it's inited? Lookup PsSetLoadImageNotifyRoutine. Maybe it will provide you an appropiate timeslot to patch the drivers IAT (if you don't know what an Import Address table is, reconsider hooking).

I see from the comments that you're primarily interested on "spying on display activities". I'm not sure that's precisely allowed on computers you don't fully control. But lets assume for the sake of the question that this is legal.

Depending on the resolution you want to get, you don't need a driver. Heck, you barely need a DLL. Look up Window hooks for partial solutions and accessibility callbacks.