Object-Level Deceiving/Detouring

Forget about hooklets for a while, there is some way of deceiving the OS without hooking:>
 

The OLD, which stands for Object-Level Deceiving/Detouring, is a way of detouring by sending faked kernel objects to the system. this kind of technique represents light granularity of deceiving ratter than hooking technique.

 

Now let's take a look at a classical example -- Force File Deletion.

Generally, there are 2 things which are in the way of file deleting. One is the share access. If the file is not opened with file_assist_delete, nt! Iocheckaskaccess fails when invoking * CreateFile.

Actually, this is not a problem ''cause openning an existing file with FILE_READ_ATTRIBUTE will always be successful. after you get the file object, the file is all yours. on getting rid of the shared access, MmFlushImageSection is a problem we have to face. M $ tells us: ''the MmFlushImageSection routine flushes The image section for a file that is no longer in use. ''. before you read this article, hooking is your first and maybe only choice. but now, you have a better way of kicking it -- the OLD.

 

The OLD has it's superiority:

 

1. It is object-level and light in granulary.
2. You do not have to take the risk of hooking the kernel with a badly written hooklet.
3 ....

 

When a file is asked to be deleted, the filesystem will invoke MmFlushImageSection to flush the image. if the function is failed, the deletion procedure fails. after I reverse engineered the filesystem driver, I found out that the filesystem passes FILE_OBJECT-> SectionObjectPointer to MmFlushImageSection to flush the I