|
#include <ntddk.h>
WCHAR DeviceName[] = L"\\Device\\MyRegFilter";
WCHAR SymLinkName[] = L"\\DosDevices\\MyRegFilter";
UNICODE_STRING usDeviceName;
UNICODE_STRING usSymbolicLinkName;
typedef struct _DEVICE_CONTEXT
{
PDRIVER_OBJECT pDriverObject;
PDEVICE_OBJECT pDeviceObject;
LARGE_INTEGER RegCookie;
}
DEVICE_CONTEXT, *PDEVICE_CONTEXT, **PPDEVICE_CONTEXT;
PDEVICE_OBJECT g_pDeviceObject = NULL;
PDEVICE_CONTEXT g_pDeviceContext = NULL;
#define FILE_DEVICE_MYREGFILTER 0x8000
NTSTATUS DriverInitialize(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath);
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath);
NTSTATUS RegistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2);
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverInitialize)
#pragma alloc_text (INIT, DriverEntry)
#endif
NTSTATUS DeviceDispatcher(PDEVICE_CONTEXT pDeviceContext, PIRP pIrp)
{
PIO_STACK_LOCATION pisl;
NTSTATUS ns = STATUS_NOT_IMPLEMENTED;
pisl = IoGetCurrentIrpStackLocation(pIrp);
switch (pisl->MajorFunction)
{
case IRP_MJ_CREATE:
case IRP_MJ_CLEANUP:
case IRP_MJ_CLOSE:
case IRP_MJ_DEVICE_CONTROL:
{
ns = STATUS_SUCCESS;
break;
}
}
pIrp->IoStatus.Status = ns;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return ns;
}
NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
return (pDeviceObject == g_pDeviceObject ?
DeviceDispatcher(g_pDeviceContext, pIrp)
: STATUS_INVALID_PARAMETER_1);
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
//
// Stop filtering the registry
// Shouldn't be placed in the unload
//
CmUnRegisterCallback(g_pDeviceContext->RegCookie);
IoDeleteSymbolicLink(&usSymbolicLinkName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
NTSTATUS DriverInitialize(PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pusRegistryPath)
{
PDEVICE_OBJECT pDeviceObject = NULL;
NTSTATUS ns = STATUS_DEVICE_CONFIGURATION_ERROR;
RtlInitUnicodeString(&usDeviceName, DeviceName);
RtlInitUnicodeString(&usSymbolicLinkName, SymLinkName);
if ((ns = IoCreateDevice(pDriverObject, sizeof (DEVICE_CONTEXT),
&usDeviceName, FILE_DEVICE_MYREGFILTER, 0, FALSE,
&pDeviceObject)) == STATUS_SUCCESS)
{
if ((ns = IoCreateSymbolicLink(&usSymbolicLinkName,
&usDeviceName)) == STATUS_SUCCESS)
{
g_pDeviceObject = pDeviceObject;
g_pDeviceContext = pDeviceObject->DeviceExtension;
g_pDeviceContext->pDriverObject = pDriverObject;
g_pDeviceContext->pDeviceObject = pDeviceObject;
}
else
{
IoDeleteDevice(pDeviceObject);
}
}
return ns;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pusRegistryPath)
{
PDRIVER_DISPATCH *ppdd;
NTSTATUS ns = STATUS_DEVICE_CONFIGURATION_ERROR;
if ((ns = DriverInitialize(pDriverObject, pusRegistryPath)) == STATUS_SUCCESS)
{
ppdd = pDriverObject->MajorFunction;
ppdd[IRP_MJ_CREATE ] =
ppdd[IRP_MJ_CREATE_NAMED_PIPE ] =
ppdd[IRP_MJ_CLOSE ] =
ppdd[IRP_MJ_READ ] =
ppdd[IRP_MJ_WRITE ] =
ppdd[IRP_MJ_QUERY_INFORMATION ] =
ppdd[IRP_MJ_SET_INFORMATION ] =
ppdd[IRP_MJ_QUERY_EA ] =
ppdd[IRP_MJ_SET_EA ] =
ppdd[IRP_MJ_FLUSH_BUFFERS ] =
ppdd[IRP_MJ_QUERY_VOLUME_INFORMATION] =
ppdd[IRP_MJ_SET_VOLUME_INFORMATION ] =
ppdd[IRP_MJ_DIRECTORY_CONTROL ] =
ppdd[IRP_MJ_FILE_SYSTEM_CONTROL ] =
ppdd[IRP_MJ_DEVICE_CONTROL ] =
ppdd[IRP_MJ_INTERNAL_DEVICE_CONTROL ] =
ppdd[IRP_MJ_SHUTDOWN ] =
ppdd[IRP_MJ_LOCK_CONTROL ] =
ppdd[IRP_MJ_CLEANUP ] =
ppdd[IRP_MJ_CREATE_MAILSLOT ] =
ppdd[IRP_MJ_QUERY_SECURITY ] =
ppdd[IRP_MJ_SET_SECURITY ] =
ppdd[IRP_MJ_POWER ] =
ppdd[IRP_MJ_SYSTEM_CONTROL ] =
ppdd[IRP_MJ_DEVICE_CHANGE ] =
ppdd[IRP_MJ_QUERY_QUOTA ] =
ppdd[IRP_MJ_SET_QUOTA ] =
ppdd[IRP_MJ_PNP ] = DriverDispatcher;
pDriverObject->DriverUnload = DriverUnload;
//
// Filter the registry
//
ns = CmRegisterCallback(RegistryCallback, g_pDeviceContext, &g_pDeviceContext->RegCookie);
if (!NT_SUCCESS(ns)) IoDeleteDevice(g_pDeviceObject);
}
return ns;
}
//
// Registry Filter Callback
//
NTSTATUS RegistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
PDEVICE_CONTEXT pContext = (PDEVICE_CONTEXT) CallbackContext;
REG_NOTIFY_CLASS Action = (REG_NOTIFY_CLASS) Argument1;
switch (Action)
{
case RegNtPreDeleteKey:
{
//
// Pre DeleteKey
//
PREG_DELETE_KEY_INFORMATION pInfo = (PREG_DELETE_KEY_INFORMATION) Argument2;
DbgPrint("Delete Key\n");
//
// You can prevent this operation from happening
// Without having the thread noticing it
// Only on Windows Vista
//
//
// return STATUS_CALLBACK_BYPASS;
//
break;
}
case RegNtPreCreateKeyEx:
{
//
// Pre CreateKey
//
PREG_CREATE_KEY_INFORMATION pInfo = (PREG_CREATE_KEY_INFORMATION) Argument2;
DbgPrint("Create Key\n");
break;
}
default:
{
//
// Return STATUS_SUCCESS
//
break;
}
}
return STATUS_SUCCESS;
}
|
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
The languages I know best are: C, C++, C#, Assembly (x86, x64, ARM), MSIL, Python, Lua. The environments I frequently use are: Qt, Win32, MFC, .NET, WDK. I'm a developer and a reverse engineer and I like playing around with internals.
You can find most of my work at
http://ntcore.com.