Home

Awesome

Driver-HideKernelThread-IoCancelIrp

not my code. only for saving https://bbs.pediy.com/thread-272795.htm

Principle

Set the thread entry address to IoCancelIrp and the context to the irp you created. Then the thread will call IoCancelIrp. when called, will perform the operation of canlcelling the IRP. This will then call the IRP->CancelRoutine. so we just need to set our own thread entry address to IRP->CancelRoutine.

How to detect?