[Student]

hi I completed a few very simple tutorials on driver development and wanted to start playing around with the kernel, i try to write a registry filter driver by using CmRegisterCallback

Code: Select all

#include <ntddk.h>


VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

EX_CALLBACK_FUNCTION RegistryCallback;


LARGE_INTEGER Cookie;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	
	NTSTATUS status;
	PDEVICE_OBJECT pDeviceObject = NULL;
	UNICODE_STRING DeviceName, DosDeviceName;
	
	RtlInitUnicodeString(&DeviceName, L"\Device\RegistryMonitor");
	RtlInitUnicodeString(&DosDeviceName, L"\DosDevice\RegistryMonitor");

	status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
	DriverObject->DriverUnload = DriverUnload;
		
	status = CmRegisterCallback(&RegistryCallback, NULL, &Cookie); 
	if (status != STATUS_SUCCESS)
	{
		DbgPrint("Falhou com erro: ", status);
		return status;
	}
		

	return STATUS_SUCCESS;
}

i get bluescreen in virtual box with this
so i wanted to get someone to tell what i do wrong and thats it, this is probably very stupid problem

[Vrtule]

Hello,

You seem to register a registry callback starting at address of the RegistryCallback variable. You need to register a real function as your registry callback.

Code: Select all

NTSTATUS MyRegistryCallback(
  _In_      PVOID CallbackContext,
  _In_opt_  PVOID Argument1,
  _In_opt_  PVOID Argument2)
{
  ...
}

...

status = CmRegisterCallback(MyRegistryCallback, NULL, &cookie);

...

[Student]

hi thx for the reply but i still get bsod, here is the whole code after edit

Code: Select all

#include <ntddk.h>


VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

/*Para uso na CmRegisterCallback*/

LARGE_INTEGER Cookie;

PDEVICE_OBJECT pDeviceObject = NULL;
UNICODE_STRING DeviceName, DosDeviceName;
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2)
{

	REG_NOTIFY_CLASS *calltype = (REG_NOTIFY_CLASS *)Argument1;
	if (*calltype == RegNtQueryKey)
		DbgPrint("Algo esta a ler o registo");

	return STATUS_SUCCESS;
}


NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	
	NTSTATUS status;
	
	
	RtlInitUnicodeString(&DeviceName, L"\Device\RegistryMonitor");
	RtlInitUnicodeString(&DosDeviceName, L"\DosDevice\RegistryMonitor");

	status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
	DriverObject->DriverUnload = DriverUnload;
		
	status = CmRegisterCallback(RegistryCallback, NULL, &Cookie); 
	if (status != STATUS_SUCCESS)
	{
		DbgPrint("Falhou com erro: ", status);
		return status;
	}
		

	return STATUS_SUCCESS;
}


VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	NTSTATUS status;
	status = CmUnRegisterCallback(Cookie);

	if (status != STATUS_SUCCESS)
		DbgPrint("Falhou com erro: ", status);
	IoDeleteDevice(&pDeviceObject);
DbgPrint("Driver unloaded.");
	
}

[Vrtule]

Hello,

the Argument1 parameter of a registry callback is, in reality, of REG_NOTIFY_CLASS type which is an enumeration I think. It is not a pointer to anything. The PVOID type in the callback definition is dicated by the EX_CALLBACK_FUNCTION type which is the type for all registry callbacks.

Try to update your registry callback in the following way and you should not get BSODs inside it.

Code: Select all

NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2)
{

   REG_NOTIFY_CLASS calltype = (REG_NOTIFY_CLASS)Argument1;
   if (calltype == RegNtQueryKey)
      DbgPrint("Algo esta a ler o registo");

   return STATUS_SUCCESS;
}

When looking at your DriverEntry routine, I see that when CmRegisterCallback fails, you just return an error status and do not rollback any operations you made up to this point. You should delete the device you created before the callback registration.

[Student]

Thanks Vrtule, just got it working now. great help