I am creating a FS minifilter driver that aims to list DLL files loaded by all services. So far it works: in the INF file, I set the startup type of the filter to
0x00000001 SERVICE_SYSTEM_START
, meaning that the filter is run before all services are.
As I need to retrieve all loaded DLLs by all services from the first time they are run, I had to make this driver loaded at SYSTEM_START. I would then create a port with my minifilter to communicate and send data to my software (a service).
This is the issue: how can I send data from a minifilter that starts before services are running (my service won’t be running yet when my minifilter will be)?
Thank you Scott. That is the only idea I have in mind:
When the driver is loaded: store data into a buffer (with a fixed size, not sure what size it could reach if my service is never loaded on Windows for some reason!), have a loop that checks if my service is running, send the content of the buffer to my service and then stop storing in the buffer.
Hi @“Scott_Noone_(OSR)” , I have to come back here as, after hours and hours of research, I am still not able to find a suitable answer.
To be more precise on what I am trying to achieve:
I have a minifilter kernel driver that needs to retrieve all ‘.exe’ files being loaded by the OS. I can do that so far, however, I can only intercept the names when my userland service is running and connected to the driver.
This means: I am missing all executable names that were launched from boot time until before my own service is run, and these are the ones I would like to intercept as well.
As mentioned in my previous post, my idea is to:
Put all services names (services launched before mine) in a buffer at a kernel level
When my service connects to my driver (Communication Port), then I can stop adding to the buffer and send all the data to my service for processing.
After further research, I read about several things: ExAllocatePoolMemory, Lookaside lists, not possible to use STL’s vectors, not possible to use ‘new’…
I would greatly appreciate some help on that! Thank you.
Sorry, I don’t understand. How is it that you can only " can only intercept the names when my userland service is running and connected to the driver"?
So basically, I am setting my minifilter driver to run as early as possible in the whole Windows boot process. I guess startup services start running after the minifilter driver has been loaded by the kernel (maybe I am wrong on this?). So my driver will start doing what it has to do, however, it won’t be able to send data about services that were loaded before my own service in this whole boot process. Many services will start running before my own service. (if I remember, services in Windows are loaded by alphabetical order from the registry). So then you advised me to buffer the information until my service is actually running and communicating by a communication port with my driver.
Hi Scott, what would be the best way to create such buffer? I would retrieve an unknown amount of items, so most probably be allocated on the heap rather than the stack. Not sure of the limitations of this while being in the kernel land. Thank you.
THAT depends on you. I guess you could, you know, allocate a new linked-list entry each time you get something you need to buffer? Link 'em all together, use InsertTailList or whatever? I’m not saying that’s brilliant, but…