Part of my practice in kernel-mode programming which I'm learning from Windows Kernel Programming, Pavel Yosifuvich, 2020, chapter 8, I've created project used to monitor activities in the system level, such as:
- Process creation
- Process termination
- Thread creation
- Thread termination
- Image load
I've created kernel-mode driver that register callback to be fired whenever one of the above mentioned event happens, using the following kernel-function:
NTSTATUS PsSetCreateProcessNotifyRoutineEx(
PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
BOOLEAN Remove
);NTSTATUS PsSetCreateThreadNotifyRoutine(
PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
);NTSTATUS PsSetLoadImageNotifyRoutine(
PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
);TODO
When creating the driver service and starting it you can get Access-Denied error.
This happing because the compiled driver didn't linked with with /integritycheck flag.
To solve this add the flag to your driver project as follows:
Project Properties -> Linker -> Command Line -> Additional Options -> type: /integritycheck
When using the client application to read data from the Kernel-Driver you can get VCRUNTIMEXX.dll missing.
This happen because of the required DLLs for executable file.
To solve this change the compiler options as follows:
Project Properties -> C/C++ -> Code Generation -> Runtime Library -> Multi-threaded DLL(/MD)
- Add user-mode application to consume events
- Create Service - start routine, stop routine
- Create launch routine: load the driver, start consuming events, add events to log file
- Read limit value for linked-list size from Driver's registry key
- Add to PsSetCreateProcessNotifyRoutineEx ImageFileName and ParentProcessId data
- Add caching to process and thread data
- Change application-to-driver communication from pooling to better method.
- Pavel Yosifuvich book - https://leanpub.com/windowskernelprogramming
- More about kernel callbacks - https://www.codemachine.com/article_kernel_callback_functions.html
- Tutorial from MSDN about Linked-Lists - https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/singly-and-doubly-linked-lists
- FORTINET article about callbacks - https://www.fortinet.com/blog/threat-research/windows-pssetloadimagenotifyroutine-callbacks-the-good-the-bad