A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #26269  by ItsGreat
 Sun Jul 12, 2015 9:55 pm
Good day hello,

I Have filter driver windows kernel that uses FsRtlRegisterFilesystemCallbacks() to do callback

Is this function possible to replace addresses of callback functions to NULL so that callback can be unregistered? I know w/ the functions of ObRegsiterCallbacks(), PsSetProcessNotify() and all other callback routines this easily done.

for my security I want know if on my filter somebody can just make a replacement of callback addresses from 3rd party driver and it will unregister my filter?

Also, there is any function to unregister the callbacks? I dont think but maybe you knows.

Thanks you very much for your helps.
 #26289  by Vrtule
 Tue Jul 14, 2015 5:37 pm
As far as I know, addresses of the registered callbacks are written to a driver object rextension of the driver object supplied in the first parameter. So, changing these addresses manually (by a 3rd party driver) sounds to me as a quite easy job.

I don't know whether registering all callbacks as NULL actually causes their deregistration. But I think it's worth a try.
 #26291  by ItsGreat
 Tue Jul 14, 2015 8:16 pm
thanks you very much for the reply.

I see in the other post on kernelmode.info forum, poster make explanation of how to find handle/addresses to ObRegisterCallbacks() .

Do u know how I can do the same for this function? The problems is much is undocumented and FsRtlRegisterFilesystemCallbacks() have little information, but ones like ObRegisterCallbacks(), PsSetCreateProcess(), etc have many much documentation and info.

Also, how can I unregister callbacks? What is function to call to unregister callbacks set with FsRtlRegisterFilesystemCallbacks()?

i want to know exactly how make this attack so i can write system thread to protect my callbacks but need know how attacker would do it. thanks you again.