Detours within Windows kernel

By: izik

 

 I had to do an inline function hooking (aka. Detouring) to accomplish some task. When I've started looking around for example in rootkits source codes, it turns out no rootkit is actually using this method. It's makes sense in a way since it's much easier to hook functions within service tables when trying to intercept calls from applications to the kernel, but as far as intercepting functions within the same module (driver) it won't work. Since I couldn't find anything, I have then decided to write my own detouring driver, now I am publishing it for educational purpose only

KREMBO is a Windows driver which detours nt!RtlRandom (for no particular reason, just as a proof of concept). It's well commented and includes debug prints. I have successfully compiled it with Windows DDK 3790.1830. The zip includes in it, both the source code and an already compiled (in checked environment) driver.

KREMBO (.zip)