Writing filter drivers for protection mechanism

When you start writing some code using WDK it is good to have the following two files/document.

Windows 7 WDK documentation
    http://msdn.microsoft.com/en-us/windows/hardware/gg487458

Kernel Data and Filtering Support for Windows Server 2008
    http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc
   
Most of the protection mechanism we try to implement falls under File, Registry, Process, DLL Load. In the recent windows version, Microsoft don’t allow anyone to hook the SSDT. Till now, most of the developers used to develop this protection mechanism through SSDT hooking. Large share of vulnerabilities found in kernel mode comes from these third party driver developers.

Microsoft has come with a “framework” that ease the work of developers. They follow the register-callback mechanism.

To start with, you need to know the following API’s for hook/unhook these activities:
    For Registry:
          CmRegisterCallbackEx()
          CmUnRegisterCallback()

   
    For Filesystem:
          FltRegisterFilter()
          FltStartFiltering()
          FltEnumerateVolumes()
          FltUnregisterFilter()

   
    For Process:
          PsSetCreateProcessNotifyRoutine()
          PsSetCreateThreadNotifyRoutine()
          PsSetLoadImageNotifyRoutine()

       
    For windows object:
        ObRegisterCallbacks()
           ObUnRegisterCallbacks()

 

Tips:
    1. Some API’s allow you to take action from your hook. Some doesn’t. You need to solve this problem through some other mechanism.
    2. “Object” you get in the “pre” callback of “Object Hooking” is actually “PEPROCESS”.
    3. When you are in the “object” hook, be careful with the API usage. It will lead into recursion.

Advertisements
This entry was posted in Windows and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s