[__fastcall]

I want to Register a callback to monitor registry listing. And my questions is the following.
If i use CmRegisterCallbackEx to register a callback to do it , what kind of driver is that or what do i need to look at.
Can i do it with an normal nt4 style driver or do i need something special ?
I'm new to kernel programming.

Thank you.

[xdeadcode]

Hi __fastcall,

Standard windows driver is ok for this purpose (driver can be minifilter but do not have to).
Everything you will find here: http://msdn.microsoft.com/en-us/library ... s.85).aspx should be enough to make filtering possible.

Before you will ask about altitudes, I suggest to read this: http://www.osronline.com/showThread.cfm?link=152163

Best regards,

[__fastcall]

ok, now i got 2 questions left , if i would use CmRegisterCallback instead of Ex would this mean this is only for xp ?
http://msdn.microsoft.com/en-us/library ... s.85).aspx
"The CmRegisterCallback routine is obsolete for Windows Vista and later operating system versions. Use CmRegisterCallbackEx instead."

And my last for now is, is it then possible to do a Filesystemfilter ( Does somebody got a good paper ? ) and registry callbacks into one driver ?

Thank you,
__fastcall

[xdeadcode]

Hi __fastcall,

You can use CmRegisterCallback on Vista+ system also. CmRegisterCallback is just obsolete for Vista+ systems - doesn't mean you can't use it.
According to preVista (Sp1) systems just be aware that not all registry classes are available.

According to filesystem minifilter drivers, well first look at wdk - there are many samples that will help you understand how to make such filter.
Here is very good blog about creation of filesystem minifilters: http://fsfilters.blogspot.com/ there you can find answers to many advanced questions about fs minifilters.

Best regards.

[frank_boldewin]

also check out the sources from capture-bat.

http://www.honeynet.org/node/315

Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.

Capture BAT provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application. This mechanism is fine-grained and allows an analyst to take into account the process that cause the various state changes. As a result, this mechanism even allows Capture to analyze the behavior of documents that execute within the context of an application, for example the behavior of a malicious Microsoft Word document.

[R00tKit]

yes You can use minifilter with other filters
WDK sample code for all you need

RegFltr Sample Driver
The RegFltr sample shows how to write a registry filter driver.

http://code.msdn.microsoft.com/windowsh ... r-f2941a79

regard

[__fastcall]

Code: Select all

typedef struct _REG_ENUMERATE_KEY_INFORMATION {
  PVOID  Object;
  ULONG  Index;
  KEY_INFORMATION_CLASS  KeyInformationClass;
  PVOID  KeyInformation;
  ULONG  Length;
  PULONG  ResultLength;
  PVOID  CallContext;
  PVOID  ObjectContext;
  PVOID  Reserved;
} REG_ENUMERATE_KEY_INFORMATION, *PREG_ENUMERATE_KEY_INFORMATION;

I got a problem now , i can't resolve the key itself . I guess i can get more information about the key with the member Object of the stucture but i don't know how and the documentation only tells it is an 'pointer to registry key object' , and now my question is how can i resolve any information from it ?

[xqrzd]

What info do you want to get? You can get key path with ObQueryNameString or CmCallbackGetKeyObjectID.

[__fastcall]

What information can i get by the object else ?

[xdeadcode]

Hi __fastcall,

What information can i get by the object else ?

Well I think you should specify what exactly you would like to achive? (Exactly as xqrzd wrote).
Basically what CmCallbacks offers per desing (as M$ proposed this api) should be enough for you to make successfull filtering of registries.
Of course it doesn't mean it is enough indeed and then you have to make some investigations.

Start by looking at _cm_key_body and all substructures, and look at all object-like api's (e.g Ob*). I belive it should be enough for you.

Best regards,