When you start writing some code using WDK it is good to have the following two files/document.
Windows 7 WDK documentation
Kernel Data and Filtering Support for Windows Server 2008
Most of the protection mechanism we try to implement falls under File, Registry, Process, DLL Load. In the recent windows version, Microsoft don’t allow anyone to hook the SSDT. Till now, most of the developers used to develop this protection mechanism through SSDT hooking. Large share of vulnerabilities found in kernel mode comes from these third party driver developers.
Microsoft has come with a “framework” that ease the work of developers. They follow the register-callback mechanism.
To start with, you need to know the following API’s for hook/unhook these activities:
For windows object:
1. Some API’s allow you to take action from your hook. Some doesn’t. You need to solve this problem through some other mechanism.
2. “Object” you get in the “pre” callback of “Object Hooking” is actually “PEPROCESS”.
3. When you are in the “object” hook, be careful with the API usage. It will lead into recursion.