Notification or enumeration of kernel objects

I want to get notification about named objects creation : mutexes, semaphores ,mailslots etc., similarly to notification of file and registry operation in kernel. Is there such one? Known to me methods are SSDT hook and periodic enumeration of objects per process.

There is no such one. Only for processes and threads (ObRegisterCallbacks)
Gabriel

On Tue, Nov 17, 2015 at 11:24 AM, wrote:

> I want to get notification about named objects creation : mutexes,
> semaphores ,mailslots etc., similarly to notification of file and registry
> operation in kernel. Is there such one? Known to me methods are SSDT hook
> and periodic enumeration of objects per process.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Bercea. G.

Impossible. And not needed at all - no need to monitor named events creation, they belong to other software and you have no business about them.

SSDT hooks will not work on Windows x64.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
>I want to get notification about named objects creation : mutexes, semaphores ,mailslots etc., similarly to notification of file and registry operation in kernel. Is there such one? Known to me methods are SSDT hook and periodic enumeration of objects per process.
>
>

Not needed at all, except, for, you know, the fact that they make up invaluable indicators for intelligence/security software. Large classes of malware use highly attributable names for mutexes and events, which I’m sure what the op is looking for (Cyvera is a security company). Not everyone here is a hardware device driver developer :wink:

Taras: As of Windows 8, you can use ETW tracing in user-mode to obtain such data. You may want to measure & handle perf issues. SSDT hooking is inherently dangerous and will result in crashes on x64/ARM/ARM64 systems, and instability and security vulnerabilities on x86.


Best regards,
Alex Ionescu

Thanks, then handle enumeration is best method.

As of Windows 8, you can use ETW tracing in user-mode to obtain such data
Which ETW provider is this? (Yes, necropost, now I need this).

(Yes, necropost, now I need this).

No, not necropost. The rules apply to you, like everyone else: Have a question? Start a new thread.

Thread locked.

Peter