Hi,
I am using CmCallbacks to filter and modify registry operations.I am trying
to understand how Microsoft intened us to use the CmCallbacks that we will
not break the securitiy of the system :
Assuming I am filtering any PreRegCreateKey operations that comes from
usermode (NtRegCreateKey), Now I would like to modify the CreateKey and Add
the string “_Modified”.
Currently I am doing :
- Verify PreviousMode = UserMode.
- Indicate CmCallbacks : STATUS_CALLBACK_BYPASS. By that I am getting the
notification to myself and it will not be completed by CmCallbacks. - Callking ZwCreateKey with the _Modified extension.
My issue here is that ZwCreateKey changes PreviousMode to kernel and cause
any access checks to be disabled. So I have added OBJ_FORCE_ACCESS_CHECK to
all modified createKey but it seems to over checking now and fail operations
which were ok before that.
Anyway, if that is the way microsoft intend us to work with CmCallbacks it
is open to many errors and many new security issues.
Thanks,
Jim