Click here to Skip to main content
Click here to Skip to main content
Add your own
alternative version
Go to top

Moving to Windows Vista x64

, 3 Aug 2009
An article about x64 and Windows Vista
communication.zip
Client
Client
release
Client.exe
Server
release
Server.exe
Server
x64
release
Server.exe
Client.exe
Server.exe
myregfilter.zip
sources
objchk_wlh_x86
i386
MyRegFilter.sys
objchk_wxp_x86
i386
MyRegFilter.sys
objfre_wlh_amd64
amd64
MyRegFilter.sys
objfre_wxp_x86
i386
MyRegFilter.sys
makefile
privileges.zip
privileges
privileges.exe.manifest
release
privileges.exe
randtest.zip
x86
DynBaseApp.exe
RandTest.exe
DynBaseApp
DynBaseApp
DynBaseApp.suo
RandTest
RandTest
RandTest.suo
x64
release
DynBaseApp.exe
RandTest.exe
smallwpf.zip
SmallWPF
bin
Release
Draft.PresentationDesignMarkup.dll
PresentationDesignCore.dll
PresentationDesignDeveloper.DLL
PresentationDesignFramework.dll
SmallWPF.exe
Properties
Settings.settings
test.zip
test
test.res
#include <ntddk.h>

WCHAR DeviceName[] = L"\\Device\\MyRegFilter";
WCHAR SymLinkName[] = L"\\DosDevices\\MyRegFilter";

UNICODE_STRING usDeviceName;
UNICODE_STRING usSymbolicLinkName;

typedef struct _DEVICE_CONTEXT
{
	PDRIVER_OBJECT  pDriverObject;       
    PDEVICE_OBJECT  pDeviceObject;

	LARGE_INTEGER RegCookie;
}
DEVICE_CONTEXT, *PDEVICE_CONTEXT, **PPDEVICE_CONTEXT;

PDEVICE_OBJECT  g_pDeviceObject  = NULL;
PDEVICE_CONTEXT g_pDeviceContext = NULL;

#define FILE_DEVICE_MYREGFILTER 0x8000


NTSTATUS DriverInitialize(PDRIVER_OBJECT  pDriverObject, PUNICODE_STRING pusRegistryPath);
NTSTATUS DriverEntry(PDRIVER_OBJECT  pDriverObject, PUNICODE_STRING pusRegistryPath);

NTSTATUS RegistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2);

#ifdef ALLOC_PRAGMA

#pragma alloc_text (INIT, DriverInitialize)
#pragma alloc_text (INIT, DriverEntry)

#endif


NTSTATUS DeviceDispatcher(PDEVICE_CONTEXT pDeviceContext, PIRP pIrp)
{
    PIO_STACK_LOCATION pisl;
    NTSTATUS ns = STATUS_NOT_IMPLEMENTED;

    pisl = IoGetCurrentIrpStackLocation(pIrp);

    switch (pisl->MajorFunction)
	{
	
	case IRP_MJ_CREATE:
	case IRP_MJ_CLEANUP:
	case IRP_MJ_CLOSE:
    case IRP_MJ_DEVICE_CONTROL:
		{
			ns = STATUS_SUCCESS;
            break;
		}
	}

    pIrp->IoStatus.Status = ns;
    pIrp->IoStatus.Information = 0;

    IoCompleteRequest(pIrp, IO_NO_INCREMENT);

    return ns;
}

NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	return (pDeviceObject == g_pDeviceObject ? 
		DeviceDispatcher(g_pDeviceContext, pIrp)
		: STATUS_INVALID_PARAMETER_1);
}


VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	//
	// Stop filtering the registry
	// Shouldn't be placed in the unload
	//

	CmUnRegisterCallback(g_pDeviceContext->RegCookie);

    IoDeleteSymbolicLink(&usSymbolicLinkName);
    IoDeleteDevice(pDriverObject->DeviceObject);
}

NTSTATUS DriverInitialize(PDRIVER_OBJECT pDriverObject,
						  PUNICODE_STRING pusRegistryPath)
{
    PDEVICE_OBJECT pDeviceObject = NULL;
    NTSTATUS ns = STATUS_DEVICE_CONFIGURATION_ERROR;
    
    RtlInitUnicodeString(&usDeviceName, DeviceName);
    RtlInitUnicodeString(&usSymbolicLinkName, SymLinkName);

    if ((ns = IoCreateDevice(pDriverObject, sizeof (DEVICE_CONTEXT),
		&usDeviceName, FILE_DEVICE_MYREGFILTER, 0, FALSE,
		&pDeviceObject)) == STATUS_SUCCESS)
	{
        if ((ns = IoCreateSymbolicLink(&usSymbolicLinkName, 
			&usDeviceName)) == STATUS_SUCCESS)
		{
            g_pDeviceObject  = pDeviceObject;
            g_pDeviceContext = pDeviceObject->DeviceExtension;

            g_pDeviceContext->pDriverObject = pDriverObject;
            g_pDeviceContext->pDeviceObject = pDeviceObject;

		}
		else
		{
			IoDeleteDevice(pDeviceObject);
		}
	}
	
	return ns;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath)
{
	PDRIVER_DISPATCH *ppdd;
    NTSTATUS ns = STATUS_DEVICE_CONFIGURATION_ERROR;

    if ((ns = DriverInitialize(pDriverObject, pusRegistryPath)) == STATUS_SUCCESS)
	{
        ppdd = pDriverObject->MajorFunction;

        ppdd[IRP_MJ_CREATE                  ] =
        ppdd[IRP_MJ_CREATE_NAMED_PIPE       ] =
        ppdd[IRP_MJ_CLOSE                   ] =
        ppdd[IRP_MJ_READ                    ] =
        ppdd[IRP_MJ_WRITE                   ] =
        ppdd[IRP_MJ_QUERY_INFORMATION       ] =
        ppdd[IRP_MJ_SET_INFORMATION         ] =
        ppdd[IRP_MJ_QUERY_EA                ] =
        ppdd[IRP_MJ_SET_EA                  ] =
        ppdd[IRP_MJ_FLUSH_BUFFERS           ] =
        ppdd[IRP_MJ_QUERY_VOLUME_INFORMATION] =
        ppdd[IRP_MJ_SET_VOLUME_INFORMATION  ] =
        ppdd[IRP_MJ_DIRECTORY_CONTROL       ] =
        ppdd[IRP_MJ_FILE_SYSTEM_CONTROL     ] =
        ppdd[IRP_MJ_DEVICE_CONTROL          ] =
        ppdd[IRP_MJ_INTERNAL_DEVICE_CONTROL ] =
        ppdd[IRP_MJ_SHUTDOWN                ] =
        ppdd[IRP_MJ_LOCK_CONTROL            ] =
        ppdd[IRP_MJ_CLEANUP                 ] =
        ppdd[IRP_MJ_CREATE_MAILSLOT         ] =
        ppdd[IRP_MJ_QUERY_SECURITY          ] =
        ppdd[IRP_MJ_SET_SECURITY            ] =
        ppdd[IRP_MJ_POWER                   ] =
        ppdd[IRP_MJ_SYSTEM_CONTROL          ] =
        ppdd[IRP_MJ_DEVICE_CHANGE           ] =
        ppdd[IRP_MJ_QUERY_QUOTA             ] =
        ppdd[IRP_MJ_SET_QUOTA               ] =
        ppdd[IRP_MJ_PNP                     ] = DriverDispatcher;
        pDriverObject->DriverUnload           = DriverUnload;

		//
		// Filter the registry
		//

		ns = CmRegisterCallback(RegistryCallback, g_pDeviceContext, &g_pDeviceContext->RegCookie);

		if (!NT_SUCCESS(ns)) IoDeleteDevice(g_pDeviceObject);
	}

	return ns;
}

//
// Registry Filter Callback
//

NTSTATUS RegistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
	PDEVICE_CONTEXT pContext = (PDEVICE_CONTEXT) CallbackContext;
	REG_NOTIFY_CLASS Action  = (REG_NOTIFY_CLASS) Argument1;


	switch (Action) 
	{

	case RegNtPreDeleteKey:
		{
			//
			// Pre DeleteKey
			//

			PREG_DELETE_KEY_INFORMATION pInfo = (PREG_DELETE_KEY_INFORMATION) Argument2;

			DbgPrint("Delete Key\n");

			//
			// You can prevent this operation from happening
			// Without having the thread noticing it
			// Only on Windows Vista
			//
			//
			// return STATUS_CALLBACK_BYPASS;
			//

			break;
		}

	case RegNtPreCreateKeyEx:
		{
			//
			// Pre CreateKey
			//

			PREG_CREATE_KEY_INFORMATION pInfo = (PREG_CREATE_KEY_INFORMATION) Argument2;

			DbgPrint("Create Key\n");

			break;
		}


	default:
		{
			//
			// Return STATUS_SUCCESS
			//

			break;
		}
		
	}

	return STATUS_SUCCESS;
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Daniel Pistelli
Software Developer
Germany Germany
The languages I know best are: C, C++, C#, Assembly (x86, x64, ARM), MSIL, Python, Lua. The environments I frequently use are: Qt, Win32, MFC, .NET, WDK. I'm a developer and a reverse engineer and I like playing around with internals.
 
You can find most of my work at http://ntcore.com.

| Advertise | Privacy | Mobile
Web01 | 2.8.140916.1 | Last Updated 3 Aug 2009
Article Copyright 2007 by Daniel Pistelli
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid