3 questions!!

NTDEV
1

Dear all

  1. Does anyone know any sample code or guideline for a drive that can
    control the execution of the processes?I do not know what I should call it ,
    emulator, or something like virtual machines.I want the driver to run the
    process ,log and report the changes in system(for example modifications in
    registry keys) but these changes do not affect the real system.

  2. If the system affected by a malicious and hidden filter driver , is it a
    mechanism to send the IRP messages directly to the last layer and be sure
    that the messages have not been affected by malicious driver?

  3. Is there any good and comprehensive guideline for making IRP messages
    and using them instead of Zw functions?

bests,
Shabnam

2

shabnam3x wrote:

Dear all

  1. Does anyone know any sample code or guideline for a drive that can
    control the execution of the processes?I do not know what I should call
    it , emulator, or something like virtual machines.I want the driver to
    run the process ,log and report the changes in system(for example
    modifications in registry keys) but these changes do not affect the real
    system.

Call it “Thinapp”… However, it isn’t quite a driver :slight_smile:
http://www.vmware.com/products/thinapp/

  1. If the system affected by a malicious and hidden filter driver , is
    it a mechanism to send the IRP messages directly to the last layer and
    be sure that the messages have not been affected by malicious driver?

If a malicious driver got to your system, it (the system) is lost.

  1. Is there any good and comprehensive guideline for making IRP
    messages and using them instead of Zw functions?

Yes, there is. The WDK documentation.

Good luck.
–PA

3

Comments inline:
“shabnam3x” wrote in message news:xxxxx@ntdev…
> Dear all
>
> 1) Does anyone know any sample code or guideline for a drive that can
> control the execution of the processes?I do not know what I should call it
> ,
> emulator, or something like virtual machines.I want the driver to run the
> process ,log and report the changes in system(for example modifications
> in
> registry keys) but these changes do not affect the real system.

Drivers have little or no control of processes. You do have the Cm calls
for registry tracking. using a the Ps calls to see what is started and what
it loads, and a file system filter to monitor file ops.

> 2) If the system affected by a malicious and hidden filter driver , is it
> a
> mechanism to send the IRP messages directly to the last layer and be sure
> that the messages have not been affected by malicious driver?

If you skip all the filters, you can become the malicious code yourself.
Since some hardware expects filters to work. Sorry if there is a malicious
driver, your driver is not going to “fix” things.

> 3) Is there any good and comprehensive guideline for making IRP messages
> and using them instead of Zw functions?

None, that I know of. For most things this is pretty easy, take a look at
the ZwXXx call
assuming it is I/O related, then find the IRP that matchs. For instance
ZwWriteFile becomes
IRP_MJ_WRITE, ZwCreateFile/ZwOpenFile becomes IRP_MJ_CREATE etc. Note:
there
are a lot of Zw functions that have no IRP equivalent.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply