As the title says, how is this possible? Basically I want to intercept calls from NetShareEnum function same way as one would intercept calls to ReadDirectoryChangesW via IRP_MJ_DIRECTORY_CONTROL pre/post routines. Is filesystem minifilter enough for the task? Is there a major/minor function to register pre/post callbacks?
NetShareEnum is not file system operation.
I think it's impossible with file system minifilter driver.
Related
I read here that the inverse is possible, but how does one achieve such a thing? I'd hope there's a simple way, similar to calling from a loaded DLL, but my google research comes up with nothing. My only other thought is that one could pass some predefined constants through WriteFile or DeviceIoControl that the driver parses like a switch statement to execute the relevant function; does a more direct method exist?
The question is why would you want to do it? Generally if you have to rely on some mechanism like this, you need to revisit the design of the application/driver that you are writing.
The correct way to do something in context of your user mode application is exactly what you described. You can do a DeviceIoControl call to your driver and the driver validates all the parameters that you have passed, then carries out the operation on behalf of the user mode call.
If for some reason, you need to call into kernel directly, you will have to resort to undocumented methods. There are ways to hook into kernel dispatch table and overwrite one of the dispatch handler to redirect the call to your function. But I hope you never ever ship anything like this to your customer. This is good for learning how the dispatch table works, etc but introduces several security nightmares. Ultimately your software should not be responsible for someone's machine getting hacked.
e.g. hook a write file api so that every process write file must through my function's filter.
I only know a hook function SetWindowsHookEx but so sad it only hook for global key events.
Not from user mode but you can in kernel mode with a file system filter driver. There's a new model, the Filter Manager Model, which reduces the complexity of developing a file system filter driver. See "Filter Manager and Minifilter Driver Architecture" in the MSDN.
Can anybody tell me how can i hook from kernel driver function only for single process. For example ZwQueryInformationProcess.
Thanks!
You can't do that in windows kernel. ZwXXX functions of ntoskrnl are native APIs. They are global common functions. All processes in user mode are using one copy of the function. There is no copy-on-write or something else in kernel.
You can implement this by using this way:
hook ZwQueryInformationProcess of ntdll.dll of special process in
user mode.
Add a filter in your hook function in kernel mode. If
current process context is not what you wanted. Pass through it.
That's all.
Thanks.
Is there any way to hook all disk writes going thru the system, and receive the file names of whatever's being modified, using the Win32 API? Or is this something that would require writing a driver?
You can't do this in user mode, it needs to be kernel mode and so that means a driver. You need a File System Filter Driver.
If you don't care about intercepting the actual data, and only want to know which files are being modified/created/deleted then you can use the ReadDirectoryChangesW API to get that info from userland. Note however that it's one of the hardest functions to use effectively and efficiently, and you should be familiar with IOCP to use it correctly.
I have developed a driver for Windows XP which is able to monitor the execution of processes.
A callback function receives the notifications using standard WDK API (PsSetCreateProcessNotifyRoutine).
The driver then decides if the process should be authorized or not; if not, it must block its execution/kill it.
What is the cleanest way to intercept execution that way? I do not mind if it is not documented, but I would rather not resort to hooking, if possible.
Ok, according to this document:
http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc
I need to install a minifilter for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for PageProtection == PAGE_EXECUTE.
PsSetCreateProcessNotifyRoutineEx (Vista+) will allow you to cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.