A forum for reverse engineering, OS internals and malware analysis 

Search found 157 matches

 Go to advanced search

Re: How to redirect registry key in registry callback?

 by myid ¦  Thu Dec 21, 2017 7:28 am ¦  Forum: Kernel-Mode Development ¦  Topic: How to redirect registry key in registry callback? ¦  Replies: 4 ¦  Views: 8305

Brock wrote:Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
https://github.com/Microsoft/Windows-dr ... ry/regfltr
You can test this code if you don't believe me.

Re: How to redirect registry key in registry callback?

 by myid ¦  Wed Dec 20, 2017 11:15 am ¦  Forum: Kernel-Mode Development ¦  Topic: How to redirect registry key in registry callback? ¦  Replies: 4 ¦  Views: 8305

This should help you override and redirect the operation but I haven't tested it. http://joyasystems.com/sample-code%2FWindows%20Driver%20Samples%2FRegFltr%20Sample%20Driver%2FC%2B%2B%2Fsys%2Fpost.c *see example CallbackPostNotificationOverrideError()* This code is come from WDK demo code package, ...

How to redirect registry key in registry callback?

 by myid ¦  Tue Dec 19, 2017 2:04 pm ¦  Forum: Kernel-Mode Development ¦  Topic: How to redirect registry key in registry callback? ¦  Replies: 4 ¦  Views: 8305

Hi, everyone. How to redirect registry key in registry callback? I use RegEdit to test, OS environment is WIN7. For example: redirect \\REGISTRY\\MACHINE\\SOFTWARE\\1111 to \\REGISTRY\\MACHINE\\SOFTWARE\\2222. These two keys are already exists. I try to filter RegNtPreCreateKeyEx and RegNtPreOpenKey...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Thu Nov 30, 2017 1:14 pm ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

Are you sending the IRP directly to that system driver, or to the highest device in its device stack? If the latter, be aware that filter drivers may also register a completion routine and may postpone IRP completion by returning STATUS_MORE_PROCESSING_REQUIRED. So, the cancel routine returns and t...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Thu Nov 30, 2017 2:39 am ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

So, I think it is safe to free the event object after IoCancelIrp return TRUE. That would be true if the cancel routine had a requirement to complete the IRP. As far as I remember, the documentation does not mention this requirement. My IRP will send to a system driver. I have found its source code...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Wed Nov 29, 2017 4:25 pm ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

This may happen when you call IoCancelIrp after the IRP is completed and freed. You need to syhcnronize the code of your completion routine with the call to IoCancelIrp, so you never touch (or cancel) the IRP after its completion. I have read the source code of IoCancelIrp, it return after the Canc...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Wed Nov 29, 2017 1:20 pm ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

IoCancelIrp returns TRUE if and only if the IRP has a cancel routine. The function calls the cancel routine and sets the cancel bit of the IRP. I do not think that the cancel routine must complete the IRP (possibly with the STATUS_CANCELLED result). So, when the call to the IoCancelIrp returns, the...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Wed Nov 29, 2017 2:48 am ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

By calling IoCancelIrp , you are telling the driver currently owning the IRP that you wish to cancel it. It is up to the owning driver what it does with such an IRP. Eventually, it should complete it with STATUS_CANCELLED (or some other error status), so your completion routine is called (if you in...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Tue Nov 28, 2017 7:27 am ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

Hmmm, I think the problem is that the event object may be freed even when a thread is waiting for it. The following scenario leads to the issue: 1) you allocate the event object, 2) you build the IRP, 3) you pass the IRP to the target driver (IoCallDriver), 4) you start waiting for the event object...

Re: IoCallDriver return STATUS_PENDING, will it BSOD if NOT

 by myid ¦  Mon Nov 27, 2017 9:08 am ¦  Forum: Kernel-Mode Development ¦  Topic: IoCallDriver return STATUS_PENDING, will it BSOD if NOT wait ¦  Replies: 19 ¦  Views: 18496

How are you building the IRP? Also, if KeWaitForSingleObject returns STATUS_TIMEOUT, you should not use the iosb.Status value since the IRP is not complete (and hence, this value is not initialized by the completing driver). Thanks, but this is not the key point. It still BSOD after I delete this l...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 16