[sima]

Hi2all. I have a windows filtering platform (WFP) based driver for traffic monitoring. Windows has the service Base Filtering Engine (BFE) that controls the operation of the Windows Filtering Platform. I wonder how I can protect this service from stopping? I figured out that any user mode app can easily do it via OpenSCManager->OpenService->ControlService. I need to do it from kernel mode but if you give me ANY initials I would be thankful.

[EP_X0FF]

https://msdn.microsoft.com/en-us/librar ... s.85).aspx
or CmRegistryCallback and service configured to auto-restart on any error.

[sima]

https://msdn.microsoft.com/en-us/librar ... s.85).aspx
or CmRegistryCallback and service configured to auto-restart on any error.

Thanks for you answer. I mean protecting for standard windows BFE service not mine. I don't understand what you mean about CmRegisterCallback and how can I configure service with this function or registered callback.

[t4L]

He means you would have to protect the BFE's service registry values so that others cannot tamper them in order to stop the service. Services' information are stored in registry, so that CmRegisterCallback registers registry customized callbacks and therefore you will get notification whenever someone try to open/close/read/write/etc on registry, hence you might prevent those modifications.

[EP_X0FF]

Yes I mean this. I missed initial point about protecting BFE not your own service. Also take a hint that BFE service process can be simple terminated. Thats why I mentioned service configuration for auto-restart on any error.

[sima]

He means you would have to protect the BFE's service registry values so that others cannot tamper them in order to stop the service. Services' information are stored in registry, so that CmRegisterCallback registers registry customized callbacks and therefore you will get notification whenever someone try to open/close/read/write/etc on registry, hence you might prevent those modifications.

I checked with procmon - when my simple test program do OpenService->ControlService(..., SERVICE_CONTROL_STOP,...) I get only read registry event from its host process svchost.exe. I can't block this type of action. But I agree that I should use CmRegisterCallback for protection registry key from modification of its values.

[sima]

Yes I mean this. I missed initial point about protecting BFE not your own service. Also take a hint that BFE service process can be simple terminated. Thats why I mentioned service configuration for auto-restart on any error.

I see. Im going to use PsSetCreateProcessNotifyRoutineEx for this purpose. Thanks.

[cziter15]

Use ObRegisterCallbacks and revoke PROCESS_TERMINATE rights in your callback.
Of course you should block other accesses, like VM_WRITE, VM_OPERATION to prevent termination using "tricks" like zeroing pages.

Each usermode service has a control pipe. It is used to send / receive service commands like STOP, START etc..
You should take a look at this and maybe play with mini-filter driver API.

[sima]

Use ObRegisterCallbacks and revoke PROCESS_TERMINATE rights in your callback.
Of course you should block other accesses, like VM_WRITE, VM_OPERATION to prevent termination using "tricks" like zeroing pages.

Each usermode service has a control pipe. It is used to send / receive service commands like STOP, START etc..
You should take a look at this and maybe play with mini-filter driver API.

ControlService doesn't terminate BFE's svchost.exe process and it continues its execution.

It is interesting about service's pipes, I didn't know it and will research it. Thanks for your answer.

[cziter15]

A lot of information can be found at ReactOS repository. They have reverse engineered NTOS kernel and then they have build their own based on that. Google for it :) and then look at SCM (Service control manager) sources.