Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Notification of kernel objects creation by any process on system

hkborlehkborle Member Posts: 1

We have file system driver. We want to get notified for "Kernel object" created by any process.

Is there any way to receive notification in kernel mode?

Comments

  • Mauro_LeggieriMauro_Leggieri Member Posts: 96

    Mmmm kernel objects can only be created by the kernel. Do you mean an user-mode handle? If yes, you can only track process and thread handles as far as I know.

  • anton_bassovanton_bassov Member Posts: 5,095

    kernel objects can only be created by the kernel

    True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

    If yes, you can only track process and thread handles as far as I know.

    According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction....

    Anton Bassov

  • Mauro_LeggieriMauro_Leggieri Member Posts: 96
    edited September 2019

    True, but the kernel may (and in most cases does) create these objects (i.e. processes, threads, synch objects, file objects,etc) in response to the requests from the userland. I think this is what the OP is asking about.

    Probably. He would be able to monitor files and registry access too.

    According to Mr.Tippet, there is a DTRACE Windows port that is available on the Github. I am not 100% sure it is going to be of help, but the OP may want to investigate this direction....

    Saw it and seems abandoned and undocumented. I saw some new routines to assist Windows Defender (fair competition :( ) but, unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

  • anton_bassovanton_bassov Member Posts: 5,095

    Saw it and seems abandoned and undocumented.....

    IIRC, Jeffrey seemed to be of much higher opinion of it

    .... unless it is convenient for Microsoft, I doubt they put some effort to add useful features for us.

    I dunno, but according to Jeffrey, it is going to be included in the future Windows releases, and will come as an integrated part of the system.

    In other words, you may be dismissing it too hastily.....

    Anton Bassov

  • Mauro_LeggieriMauro_Leggieri Member Posts: 96

    Well I'll expect they do and document access/usage.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 OSR Seminar Space & ONLINE
Writing WDF Drivers 11 May 2020 OSR Seminar Space & ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA