[Kick10]

Hi eveyone!

I want to learn how to make a program that will monitor some system activities(like registry access or process creation)and ask user weather to permit action or to deny it, just like ativirus proactive defense does. I know how to hook functions with kernel mode driver, but I dont understand how to organize comunication with user-mode application, that will promt user to allow or deny action. Driver needs to suspend the monitored thead until user does a choice, and depending on it pass execution to system or return status_access_denied. Could someone explain a principle how to do this?

[Alex]

To realize a user-driver communication you can use events and shared memory like in this example Hooking the native API and controlling process creation on a system-wide basis. Source code of the "Soviet Protector" isn't well written but it should be enough for a start. If you like to read something more about events, this article can be useful - Sharing Is Caring - Sharing Events Between Kernel-User Mode - but, you have to register to access this and other articles of "The NT Insider".

Alex

[EP_X0FF]

Hello,

well if we are talking about some kind of proactive defense than you should consider few things before start:

1. communication speed
2. control over file system (it is necessary part and with it help you can get rid of some of SSDT hooks)
3. using mostly documented ways (minifilters, registry callbacks, notification routines)

If I would start something like that I definitely would move most of logic and rules into user mode service with thread pool.

Take a look on documentation (and examples) about File System Minifilter Drivers and I/O Completion Ports. I can't remember any ready-to-use solutions.

Regards.

[Kick10]

Thank you for advices and useful links.

If I would start something like that I definitely would move most of logic and rules into user mode service with thread pool.

I also thought like that, but I don't know how technically implement notification of the user mode service, kernel mode event occurs. I read an article from the links above, and there was an example with variable polling in shared memory, I dont know but polling seems to me not the best choice. I wonder if there are any other ways to implement this. Gonna read docs on filesystem minifilters, there seem to be some ordinary way to communicate with usermode.

[__Genius__]

3. using mostly documented ways (minifilters, registry callbacks, notification routines)

That's it, yes , if you would like to create something like proactive defense systems it's better to use notification routines rather than to use some hook and other undocumented ways, well, on my personal ARK project, I have been implemented this routine, but not all things you want ..., it's a good idea to provide Access permission to process creation, unluckily I have no idea about this right now, but for creation or even termination process I recommend standard PsSetCreateProcessNotifyRoutine Function.
also read that MSDN

Code: Select all

http://msdn.microsoft.com/en-us/library/ms802952.aspx

and if you would like further research I recommend you, reading this article,

Code: Select all

http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5715

for permissions, to allow or deny i think using File System Filter driver could help you but it's just a guess .

[ThatReallyFatDude]

You may want to take a look at LPC. It is widely used within Windows and it works across modes. In fact: The File System Filter Manager uses LPC to implement FltSendMessage (a function file system mini filters can use to communicate with a user mode application). LPC is undocumented though. But you can read up on it here:

http://www.zezula.net/en/prog/lpc.html

Additionally there are inverted calls. It is used by some of the Windows drivers as well. It can be implemented without any undocumented features. A very good description and sample code can be found here:

http://www.osronline.com/article.cfm?id=94