Intercepting and blocking registry access
in [Device Drivers]
|
From: Denis Martinez Denis on 10 Jun 2010 05:22 Hi. I need a way to hook registry functions such as ZwQueryKey, and make it return STATUS_ACCESS_DENIED depending on some condition. At this point I have a half-working driver that hooks the SSDT table. The hook function calls PrevQueryKey(hKey, KeyNameInformation, NULL, 0, &length) and PrevQueryKey(hKey, KeyNameInformation, info, length, &length) to get the key name and then proceeds to call PrevQueryKey with the user's parameters, if the condition based on the key name was satisfied, else STATUS_ACCESS_DENIED is returned. I'm getting an error code 0xc0000005 (access voilation) on the first PrevQueryKey call. If I remove the 2 first calls and the condition then all is fine. Can you explain me how I can get the keyName that I need?
From: Maxim S. Shatskih on 10 Jun 2010 05:33 > Hi. I need a way to hook registry functions such as ZwQueryKey, and make it > return STATUS_ACCESS_DENIED depending on some condition. At this point I have > a half-working driver that hooks the SSDT table. CmRegisterCallbacks is the way, not hooking. -- Maxim S. Shatskih Windows DDK MVP maxim(a)storagecraft.com http://www.storagecraft.com
From: Pavel A. on 10 Jun 2010 05:41 "Denis Martinez" <Denis Martinez(a)discussions.microsoft.com> wrote in message news:812CF223-3D5A-4392-B21C-65C915630504(a)microsoft.com... > Hi. I need a way to hook registry functions such as ZwQueryKey, and make > it > return STATUS_ACCESS_DENIED depending on some condition. At this point I > have > a half-working driver that hooks the SSDT table. > The hook function calls > c(hKey, KeyNameInformation, NULL, 0, &length) and > PrevQueryKey(hKey, KeyNameInformation, info, length, &length) > to get the key name and then proceeds to call PrevQueryKey with the user's > parameters, if the condition based on the key name was satisfied, else > STATUS_ACCESS_DENIED is returned. > I'm getting an error code 0xc0000005 (access voilation) on the first > PrevQueryKey call. If I remove the 2 first calls and the condition then > all > is fine. Can you explain me how I can get the keyName that I need? This should work, if you it correctly. Also, be careful of passing kernel handles and buffers to the usermode syscall handler (your PrevQueryKey ): it will fail if you pass it a kernel side pointer. Hooking is hard.
From: Denis Martinez on 10 Jun 2010 06:55 Thanks for your answers, I have some other questions. Indeed I passed pointers to kernel memory to my Zw function, so I'm replacing these pointers with memory zones allocated by ZwAllocateVirtualMemory. * I don't see kernel-mode functions to access virtual memory. I suppose the allocated pages don't have to be aligned in memory, so direct access is impossible. How can I do it ? * I didn't know about CmRegisterCallback so I'll look at that, thanks. "Maxim S. Shatskih" wrote: > > Hi. I need a way to hook registry functions such as ZwQueryKey, and make it > > return STATUS_ACCESS_DENIED depending on some condition. At this point I have > > a half-working driver that hooks the SSDT table. > > CmRegisterCallbacks is the way, not hooking. > > -- > Maxim S. Shatskih > Windows DDK MVP > maxim(a)storagecraft.com > http://www.storagecraft.com > > . >
From: Ray Trent on 10 Jun 2010 19:03 Ummm... why? Anyone that is motivated enough to write a driver to call ZwQueryKey to get around whatever access protections are already on the key will just undo whatever you do. There's no way to secure the OS against the OS, and like it or not, kernel mode drivers are part of the OS. Just set the permissions on the key to give no one access except perhaps for some account you can create that only you have the credentials for. It won't stop a determined hacker, but *nothing will* at this level. On 6/10/2010 2:22 AM, Denis Martinez wrote: > Hi. I need a way to hook registry functions such as ZwQueryKey, and make it > return STATUS_ACCESS_DENIED depending on some condition. At this point I have > a half-working driver that hooks the SSDT table. > The hook function calls > PrevQueryKey(hKey, KeyNameInformation, NULL, 0,&length) and > PrevQueryKey(hKey, KeyNameInformation, info, length,&length) > to get the key name and then proceeds to call PrevQueryKey with the user's > parameters, if the condition based on the key name was satisfied, else > STATUS_ACCESS_DENIED is returned. > I'm getting an error code 0xc0000005 (access voilation) on the first > PrevQueryKey call. If I remove the 2 first calls and the condition then all > is fine. Can you explain me how I can get the keyName that I need? -- Ray
|
Pages: 1 Prev: Inserting simulated keyboard input and driver keyboard filters Next: Which driver matches best |