Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FileSystem Minifilter Windows - Strategy to store data before services are running

dlionisdlionis Member Posts: 5

I am creating a FS minifilter driver that aims to list DLL files loaded by all services. So far it works: in the INF file, I set the startup type of the filter to

0x00000001 SERVICE_SYSTEM_START

, meaning that the filter is run before all services are.

As I need to retrieve all loaded DLLs by all services from the first time they are run, I had to make this driver loaded at SYSTEM_START. I would then create a port with my minifilter to communicate and send data to my software (a service).

This is the issue: how can I send data from a minifilter that starts before services are running (my service won't be running yet when my minifilter will be)?

Thank you.

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,514

    Buffer the info until your service starts?

    -scott
    OSR

  • dlionisdlionis Member Posts: 5

    Thank you Scott. That is the only idea I have in mind:
    When the driver is loaded: store data into a buffer (with a fixed size, not sure what size it could reach if my service is never loaded on Windows for some reason!), have a loop that checks if my service is running, send the content of the buffer to my service and then stop storing in the buffer.

  • dlionisdlionis Member Posts: 5

    Hi @Scott_Noone_(OSR) , I have to come back here as, after hours and hours of research, I am still not able to find a suitable answer.

    To be more precise on what I am trying to achieve:

    I have a minifilter kernel driver that needs to retrieve all '.exe' files being loaded by the OS. I can do that so far, however, I can only intercept the names when my userland service is running and connected to the driver.

    This means: I am missing all executable names that were launched from boot time until before my own service is run, and these are the ones I would like to intercept as well.

    As mentioned in my previous post, my idea is to:

    • Put all services names (services launched before mine) in a buffer at a kernel level
    • When my service connects to my driver (Communication Port), then I can stop adding to the buffer and send all the data to my service for processing.

    After further research, I read about several things: ExAllocatePoolMemory, Lookaside lists, not possible to use STL's vectors, not possible to use 'new'....

    I would greatly appreciate some help on that! Thank you.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,514

    Sorry, I don't understand. How is it that you can only " can only intercept the names when my userland service is running and connected to the driver"?

    Also, you are correct that there is no STL.

    -scott
    OSR

  • dlionisdlionis Member Posts: 5

    So basically, I am setting my minifilter driver to run as early as possible in the whole Windows boot process. I guess startup services start running after the minifilter driver has been loaded by the kernel (maybe I am wrong on this?). So my driver will start doing what it has to do, however, it won't be able to send data about services that were loaded before my own service in this whole boot process. Many services will start running before my own service. (if I remember, services in Windows are loaded by alphabetical order from the registry). So then you advised me to buffer the information until my service is actually running and communicating by a communication port with my driver.

    I hope it makes more sense?

    Thank you.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,514

    OK, yes, that's correct.

    Is there a remaining question or "all good"?

    -scott
    OSR

  • dlionisdlionis Member Posts: 5

    Hi Scott, what would be the best way to create such buffer? I would retrieve an unknown amount of items, so most probably be allocated on the heap rather than the stack. Not sure of the limitations of this while being in the kernel land. Thank you.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,025

    what would be the best way to create such buffer?

    THAT depends on you. I guess you could, you know, allocate a new linked-list entry each time you get something you need to buffer? Link 'em all together, use InsertTailList or whatever? I'm not saying that's brilliant, but...

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online