About Hoook System Service?

hello,
someone can you the hook api or hook system service to safe the definit
file,not be modified,seen,read,and written,what is the difference about the
two technology?
and i analysis the regmon and modify the program to protect my registry
when the item matched my goal,which return value to be
returned,STATUS_ACCESS_DENIED or some others(i do not call the real system
service if matched),but no way success,people still can read and write the
registy,what can i do to prevent read and write?
best regards
ding hao


Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn

Before going further any kind of patching in kernel read this and decide :
http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx

Regards,
Satish K.S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shark marian
Sent: Wednesday, December 15, 2004 10:51 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] About Hoook System Service?

hello,
someone can you the hook api or hook system service to safe the definit
file,not be modified,seen,read,and written,what is the difference about the
two technology?
and i analysis the regmon and modify the program to protect my registry
when the item matched my goal,which return value to be
returned,STATUS_ACCESS_DENIED or some others(i do not call the real system
service if matched),but no way success,people still can read and write the
registy,what can i do to prevent read and write?
best regards
ding hao


??? MSN Explorer: http://explorer.msn.com/lccn


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@epiance.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

DQoNCg0KDQoNCnByZXZlbnRpbmcgc29tZW9uZSBmcm9tIHJlYWRpbmcgb3Igd3JpdGluZyB0aGUg
cmVnaXN0ZXJ5IHdpbGwgbW9zdA0KY2VydGFpbmx5IGFsc28gcHJldmVudCB0aGF0IHVzZXIgZnJv
bSB1c2luZyBXaW5kb3dzLiBJcyB0aGF0IHdoYXQgeW91IHdhbnQNCnRvIGRvPyBXaHkgbm90IGp1
c3QgZm9ybWF0IHRoZSBkaXNrLi4uDQoNClBsZWFzZSBFWFBMQUlOIHdoYXQgeW91J3JlIHRyeWlu
ZyB0byBkbywgc28gdGhhdCB3ZSBjYW4gaGVscCB5b3UsIGluc3RlYWQNCm9mIHJlcGVhdGluZyBm
dXRpbGUgYXR0ZW1wdHMgb2YgaGFja2luZyB0aGUga2VybmVsLiBJdCdzIG5vdCBnb2luZyB0byBi
ZSBhDQpyZWxpYWJsZSB3YXkgb2Ygc29sdmluZyB5b3VyIHByb2JsZW0uIElzIHRoYXQgY2xlYXI/
DQoNCi0tDQpNYXRzDQoNCi0tLS0tLS0tIE5vdGljZSAtLS0tLS0tLQ0KVGhlIGluZm9ybWF0aW9u
IGluIHRoaXMgbWVzc2FnZSBpcyBjb25maWRlbnRpYWwgYW5kIG1heSBiZSBsZWdhbGx5DQpwcml2
aWxlZ2VkLiAgSXQgaXMgaW50ZW5kZWQgc29sZWx5IGZvciB0aGUgYWRkcmVzc2VlLiAgQWNjZXNz
IHRvIHRoaXMNCm1lc3NhZ2UgYnkgYW55b25lIGVsc2UgaXMgdW5hdXRob3JpemVkLiAgSWYgeW91
IGFyZSBub3QgdGhlIGludGVuZGVkDQpyZWNpcGllbnQsIGFueSBkaXNjbG9zdXJlLCBjb3B5aW5n
IG9yIGRpc3RyaWJ1dGlvbiBvZiB0aGUgbWVzc2FnZSwgb3IgYW55DQphY3Rpb24gdGFrZW4gYnkg
eW91IGluIHJlbGlhbmNlIG9uIGl0LCBpcyBwcm9oaWJpdGVkIGFuZCBtYXkgYmUgdW5sYXdmdWwu
DQpJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIG1lc3NhZ2UgaW4gZXJyb3IsIHBsZWFzZSBkZWxl
dGUgaXQgYW5kIGNvbnRhY3QNCnRoZSBzZW5kZXIgaW1tZWRpYXRlbHkuIFRoYW5rIHlvdS4NCg0K
DQpib3VuY2UtMTk2MTgzLTE0MDc5QGxpc3RzLm9zci5jb20gd3JvdGUgb24gMTIvMTUvMjAwNCAw
NToyMDo1NSBBTToNCg0KPiBoZWxsbywNCj4gICAgIHNvbWVvbmUgY2FuIHlvdSB0aGUgaG9vayBh
cGkgb3IgaG9vayBzeXN0ZW0gc2VydmljZSB0byBzYWZlIHRoZQ0KZGVmaW5pdA0KPiBmaWxlLG5v
dCBiZSBtb2RpZmllZCxzZWVuLHJlYWQsYW5kIHdyaXR0ZW4sd2hhdCBpcyB0aGUgZGlmZmVyZW5j
ZSBhYm91dA0KdGhlDQo+IHR3byB0ZWNobm9sb2d5Pw0KPiAgICAgYW5kIGkgYW5hbHlzaXMgdGhl
IHJlZ21vbiBhbmQgbW9kaWZ5IHRoZSBwcm9ncmFtIHRvIHByb3RlY3QgbXkNCnJlZ2lzdHJ5DQo+
IHdoZW4gdGhlIGl0ZW0gbWF0Y2hlZCBteSBnb2FsLHdoaWNoIHJldHVybiB2YWx1ZSB0byBiZQ0K
PiByZXR1cm5lZCxTVEFUVVNfQUNDRVNTX0RFTklFRCBvciBzb21lIG90aGVycyhpIGRvIG5vdCBj
YWxsIHRoZSByZWFsDQpzeXN0ZW0NCj4gc2VydmljZSBpZiBtYXRjaGVkKSxidXQgbm8gd2F5IHN1
Y2Nlc3MscGVvcGxlIHN0aWxsIGNhbiByZWFkIGFuZCB3cml0ZQ0KdGhlDQo+IHJlZ2lzdHksd2hh
dCBjYW4gaSBkbyB0byBwcmV2ZW50IHJlYWQgYW5kIHdyaXRlPw0KPiAgICAgYmVzdCByZWdhcmRz
DQo+ICAgICBkaW5nIGhhbw0KPg0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiDD4rfRz8LU2CBNU04gRXhwbG9yZXI6
ICAgaHR0cDovL2V4cGxvcmVyLm1zbi5jb20vbGNjbg0KPg0KPg0KPiAtLS0NCj4gUXVlc3Rpb25z
PyBGaXJzdCBjaGVjayB0aGUgS2VybmVsIERyaXZlciBGQVEgYXQgaHR0cDovL3d3dy4NCj4gb3Ny
b25saW5lLmNvbS9hcnRpY2xlLmNmbT9pZD0yNTYNCj4NCj4gWW91IGFyZSBjdXJyZW50bHkgc3Vi
c2NyaWJlZCB0byBudGRldiBhczogbWF0cy5wZXRlcnNzb25AM2RsYWJzLmNvbQ0KPiBUbyB1bnN1
YnNjcmliZSBzZW5kIGEgYmxhbmsgZW1haWwgdG8gbGVhdmUtbnRkZXYtMTQwNzlDQGxpc3RzLm9z
ci5jb20NCg0KPiBGb3J3YXJkU291cmNlSUQ6TlQwMDAwOTgwMg==

hello,
i am just want to disable the operation of my critical file or
directory,and protect my file and diretcory,so in the hook system
service,such as the ZwOpenFile,if the operation is to my file,how to
disable it?just this.
best regards


Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/

Build a file system filter driver, watch the IRP_MJ_CREATE.

Better yet, how about if you just insist on installing your critical file/directory into an NTFS directory and use an ACL to protect it…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April 4, 2004 in Boston!

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of shark marian
Sent: Wednesday, December 15, 2004 10:46 AM
To: ntdev redirect
Subject: [ntdev] About Hoook System Service?

hello,
i am just want to disable the operation of my critical file or
directory,and protect my file and diretcory,so in the hook system
service,such as the ZwOpenFile,if the operation is to my file,how to
disable it?just this.
best regards


??? MSN Explorer: http://explorer.msn.com/lccn/


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

DQoNCg0KDQoNCkFueSByZWFzb24geW91IGNhbid0IGRvIHRoaXMgd2l0aCBhIGZpbGUtc3lzdGVt
IGZpbHRlciBkcml2ZXI/IEl0IHNvdW5kcw0KbGlrZSB0aGUgcmlnaHQgcGxhY2UgdG8gcHJvdGVj
dCBmaWxlcyBhbmQgZGlyZWN0b3JpZXMuLi4NCg0KLS0NCk1hdHMNCg0KLS0tLS0tLS0gTm90aWNl
IC0tLS0tLS0tDQpUaGUgaW5mb3JtYXRpb24gaW4gdGhpcyBtZXNzYWdlIGlzIGNvbmZpZGVudGlh
bCBhbmQgbWF5IGJlIGxlZ2FsbHkNCnByaXZpbGVnZWQuICBJdCBpcyBpbnRlbmRlZCBzb2xlbHkg
Zm9yIHRoZSBhZGRyZXNzZWUuICBBY2Nlc3MgdG8gdGhpcw0KbWVzc2FnZSBieSBhbnlvbmUgZWxz
ZSBpcyB1bmF1dGhvcml6ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQNCnJlY2lwaWVu
dCwgYW55IGRpc2Nsb3N1cmUsIGNvcHlpbmcgb3IgZGlzdHJpYnV0aW9uIG9mIHRoZSBtZXNzYWdl
LCBvciBhbnkNCmFjdGlvbiB0YWtlbiBieSB5b3UgaW4gcmVsaWFuY2Ugb24gaXQsIGlzIHByb2hp
Yml0ZWQgYW5kIG1heSBiZSB1bmxhd2Z1bC4NCklmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgbWVz
c2FnZSBpbiBlcnJvciwgcGxlYXNlIGRlbGV0ZSBpdCBhbmQgY29udGFjdA0KdGhlIHNlbmRlciBp
bW1lZGlhdGVseS4gVGhhbmsgeW91Lg0KDQoNCmJvdW5jZS0xOTYyMTEtMTQwNzlAbGlzdHMub3Ny
LmNvbSB3cm90ZSBvbiAxMi8xNS8yMDA0IDAzOjQ2OjA5IFBNOg0KDQo+IGhlbGxvLA0KPiAgICAg
aSBhbSBqdXN0IHdhbnQgdG8gZGlzYWJsZSB0aGUgb3BlcmF0aW9uIG9mIG15IGNyaXRpY2FsIGZp
bGUgb3INCj4gZGlyZWN0b3J5LGFuZCBwcm90ZWN0IG15IGZpbGUgYW5kIGRpcmV0Y29yeSxzbyBp
biB0aGUgaG9vayBzeXN0ZW0NCj4gc2VydmljZSxzdWNoIGFzIHRoZSBad09wZW5GaWxlLGlmIHRo
ZSBvcGVyYXRpb24gaXMgdG8gbXkgZmlsZSxob3cgdG8NCj4gZGlzYWJsZSBpdD9qdXN0IHRoaXMu
DQo+ICAgIGJlc3QgcmVnYXJkcw0KPg0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiDD4rfRz8LU2CBNU04gRXhwbG9y
ZXI6ICAgaHR0cDovL2V4cGxvcmVyLm1zbi5jb20vbGNjbi8NCj4NCj4NCj4gLS0tDQo+IFF1ZXN0
aW9ucz8gRmlyc3QgY2hlY2sgdGhlIEtlcm5lbCBEcml2ZXIgRkFRIGF0IGh0dHA6Ly93d3cuDQo+
IG9zcm9ubGluZS5jb20vYXJ0aWNsZS5jZm0/aWQ9MjU2DQo+DQo+IFlvdSBhcmUgY3VycmVudGx5
IHN1YnNjcmliZWQgdG8gbnRkZXYgYXM6IG1hdHMucGV0ZXJzc29uQDNkbGFicy5jb20NCj4gVG8g
dW5zdWJzY3JpYmUgc2VuZCBhIGJsYW5rIGVtYWlsIHRvIGxlYXZlLW50ZGV2LTE0MDc5Q0BsaXN0
cy5vc3IuY29tDQoNCj4gRm9yd2FyZFNvdXJjZUlEOk5UMDAwMDk4NzY=

Create a file system filter instead.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “shark marian”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 15, 2004 6:46 PM
Subject: [ntdev] About Hoook System Service?

> hello,
> i am just want to disable the operation of my critical file or
> directory,and protect my file and diretcory,so in the hook system
> service,such as the ZwOpenFile,if the operation is to my file,how to
> disable it?just this.
> best regards
>
> _________________________________________________________________
> Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

I think mr. “shark marian” aka ding hao ought to take this discussion over
to the ntfsd list :slight_smile:

Tony’s suggestion appeared to require the least effort, and was most likely
to fit within the OP’s skill set.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mats PETERSSON
Sent: Wednesday, December 15, 2004 10:53 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] About Hoook System Service?

Any reason you can’t do this with a file-system filter driver? It sounds
like the right place to protect files and directories…


Mats

-------- Notice --------
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or any
action taken by you in reliance on it, is prohibited and may be unlawful.
If you have received this message in error, please delete it and contact the
sender immediately. Thank you.

xxxxx@lists.osr.com wrote on 12/15/2004 03:46:09 PM:

hello,
i am just want to disable the operation of my critical file or
directory,and protect my file and diretcory,so in the hook system
service,such as the ZwOpenFile,if the operation is to my file,how to
disable it?just this.
best regards


免费下载 MSN Explorer: http://explorer.msn.com/lccn/


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT00009876


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to $subst(‘List.Name’) as:
$subst(‘Recip.EmailAddr’) To unsubscribe send a blank email to
$subst(‘Email.UnSub’)

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Roddy, Mark[SMTP:xxxxx@stratus.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, December 15, 2004 5:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] About Hoook System Service?

Tony’s suggestion appeared to require the least effort, and was most likely
to fit within the OP’s skill set.

Optimist :slight_smile:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Why not just open that files for exclusive access - e.g. in a regular
(usermode) Service. The handles can be duplicated and communicated to
“permitted applications” via any IPC communication scheme (RPC, sockets,
…) so that only your applications have access.
Don’t see a problem there… *wonder*

Paul

“Maxim S. Shatskih”
Gesendet von: xxxxx@lists.osr.com
15.12.2004 17:06
Bitte antworten an “Windows System Software Devs Interest List”

An: “Windows System Software Devs Interest List”

Kopie:
Thema: Re: [ntdev] About Hoook System Service?

Create a file system filter instead.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “shark marian”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 15, 2004 6:46 PM
Subject: [ntdev] About Hoook System Service?

> hello,
> i am just want to disable the operation of my critical file or
> directory,and protect my file and diretcory,so in the hook system
> service,such as the ZwOpenFile,if the operation is to my file,how to
> disable it?just this.
> best regards
>
> _________________________________________________________________
> ??? MSN Explorer: http://explorer.msn.com/lccn/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@tab.at
To unsubscribe send a blank email to xxxxx@lists.osr.com

Please visit us: www.tab.at www.championsnet.net
www.silverball.com