Hook System service ZwSetValueKey( ) with keyboard filter driver

NTDEV
1

Hi All,

Currently I am working on a keyboard filter driver which is based on the DDK sample. The filter driver is working fine with PS2.

Now I try to install this driver as a class filter
and make it sit below the kbdclass filter driver by adding the service
name of this filter driver before the kbdclass filter in the registry at
" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\
{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters".

The Windows OS cannot load because I have Hooked System service ZwSetValueKey( ) in my filter driver( since I need to update some specific registries real time in my driver).

So my question is, it seems that for the keyboard class filter driver, we cannot hook the System service ZwSetValueKey(), what is the internal reason?

Can someone familiar with keyboard filter driver please help? Thanks in advance!

Best Regards,
Jeff

2

Hooking is frowned upon. There are ob and reg callbacks that replace hooking. What do you mean by updating in real time? Are you using the registry to pass state/data to the filter because kbdclass blocks you from receiving io?

d

debt from my phone

From: xxxxx@hotmail.com
Sent: 2/6/2012 7:02 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hook System service ZwSetValueKey( ) with keyboard filter driver

Hi All,

Currently I am working on a keyboard filter driver which is based on the DDK sample. The filter driver is working fine with PS2.

Now I try to install this driver as a class filter
and make it sit below the kbdclass filter driver by adding the service
name of this filter driver before the kbdclass filter in the registry at
" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\
{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters".

The Windows OS cannot load because I have Hooked System service ZwSetValueKey( ) in my filter driver( since I need to update some specific registries real time in my driver).

So my question is, it seems that for the keyboard class filter driver, we cannot hook the System service ZwSetValueKey(), what is the internal reason?

Can someone familiar with keyboard filter driver please help? Thanks in advance!

Best Regards,
Jeff

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

> So my question is, it seems that for the keyboard class filter driver, we cannot hook the System

service ZwSetValueKey(), what is the internal reason?

You cannot hook syscalls anyway. It is technically prohibited on 64bit Windows, and is strongly deprecated even on 32bit Windows. I’m not sure Win8 will allow this on 32bit.

Please design some other solution.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

4

Hi Doron and Maxim,

Thanks for the reply.

Yes, I need registry to pass virtual key information. I have some user space application which can modify the registry. Once these registries are modified, my filter driver will detect it and re-load the information from the registry. So my initial idea is to hook the ZwSetValueKey( ) function to achieve the purpose.

Thanks and Regards,
Jeff

5

Absolutely the wrong way to go. Hooking for the sake of knowing when the write value happens is a huge hammer for a small hole. Either send an io to the filter telling it to read the values or just send the data in the io input buffer

d

debt from my phone

From: xxxxx@hotmail.com
Sent: 2/6/2012 11:54 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard filter driver

Hi Doron and Maxim,

Thanks for the reply.

Yes, I need registry to pass virtual key information. I have some user space application which can modify the registry. Once these registries are modified, my filter driver will detect it and re-load the information from the registry. So my initial idea is to hook the ZwSetValueKey( ) function to achieve the purpose.

Thanks and Regards,
Jeff

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

>information from the registry. So my initial idea is to hook the ZwSetValueKey( ) function to achieve

Fantastic!

Please, please create a control device (trivial with KMDF) in your driver and send IOCTLs to it!

Please do not do dirty things for routine tasks which can trivially be solved by standard means.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

7

Note that there is the documented function ZwNotifyChangeKey (include
ntifs.h) to achieve exactly what you intended by hooking.

On Tue, 07 Feb 2012 08:54:20 +0100, wrote:
> Hi Doron and Maxim,
>
> Thanks for the reply.
>
> Yes, I need registry to pass virtual key information. I have some user
> space application which can modify the registry. Once these registries
> are modified, my filter driver will detect it and re-load the
> information from the registry. So my initial idea is to hook the
> ZwSetValueKey( ) function to achieve the purpose.
>
> Thanks and Regards,
> Jeff

8

Hi All,

Thanks for the reply.

As I am working on the keyboard filter driver, there is already the following IOCTLs

ioQueueConfig.EvtIoInternalDeviceControl = KbFilter_EvtIoInternalDeviceControl;
ioQueueConfig.EvtIoDeviceControl = KbFilter_EvtIoDeviceControlFromRawPdo;

I don’t know if adding additional IO will affect the above functioning.

Actually I tried CmRegisterCallback( ) yesterday. But it seems that RegNtPreSetValueKey can be correctly notified while RegNtPostSetValueKey cannot.

Now I am trying the ZwNotifyChangeKey() solution. But it seems this API got many argument parameters. I am struggling to make it work.

Thanks and Regards,
Jeff

9

Hi All,

This is continuing with my last message.

I am trying to dig into the CmRegisterCallback( ) solution. Now I am trying to monitor the RegNtSetValueKey notification. Using the DebugView tool, I found that this RegNtSetValueKey condition is always matching even if I did not change any value; while the RegNtRenameKey condition never come even if I try to rename a key.

The callback function is basically as follows:

NTSTATUS
RegmonHookCallback(
PVOID Context,
PVOID RegFunction,
PVOID Argument)
{

UNREFERENCED_PARAMETER(Argument);
UNREFERENCED_PARAMETER(Context);

switch( (ULONG)RegFunction ) {

case RegNtPostSetValueKey:

DbgPrint(“Post Set Value is notified\n”);
break;

case RegNtSetValueKey:
DbgPrint(“Set Value is notified\n”);
break;

case RegNtRenameKey:
DbgPrint(“Rename key is notified\n”);
break;

default:

break;
}

return STATUS_SUCCESS;
}

I build for XP driver.

Please help me out what goes wrong.

Thanks in advance!

Best Regards,
Jeff

10

I still think you are going about the notification the wrong way. Using the reg callbacks or a hook to know when a driver specific set of values is written is the wrong way to go. Instead, have the app open the raw pdo and send the data directly to the driver.

d

debt from my phone

From: xxxxx@hotmail.com
Sent: 2/7/2012 8:21 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard filter driver

Hi All,

This is continuing with my last message.

I am trying to dig into the CmRegisterCallback( ) solution. Now I am trying to monitor the RegNtSetValueKey notification. Using the DebugView tool, I found that this RegNtSetValueKey condition is always matching even if I did not change any value; while the RegNtRenameKey condition never come even if I try to rename a key.

The callback function is basically as follows:

NTSTATUS
RegmonHookCallback(
PVOID Context,
PVOID RegFunction,
PVOID Argument)
{

UNREFERENCED_PARAMETER(Argument);
UNREFERENCED_PARAMETER(Context);

switch( (ULONG)RegFunction ) {

case RegNtPostSetValueKey:

DbgPrint(“Post Set Value is notified\n”);
break;

case RegNtSetValueKey:
DbgPrint(“Set Value is notified\n”);
break;

case RegNtRenameKey:
DbgPrint(“Rename key is notified\n”);
break;

default:

break;
}

return STATUS_SUCCESS;
}

I build for XP driver.

Please help me out what goes wrong.

Thanks in advance!

Best Regards,
Jeff

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

11

Hi Doron,

Maybe I didnot make it clear. Sorry for that. Actually my filter driver didn’t modify the registry. Instead, since my driver need to read information from registry. What I have done is make sure that the registry change made by other drivers/apps/etc will inform my driver to update, that is to re-read from some specific registries.

My original solution is to hook ZwSetValueKey( ), this way any modification of the registry values will be known and I will update the information if my target registries are modified. This solution works fine with PS2 filter driver but not kbdclass filter. So I want some other ways to inform my driver some specific registry modified.

Currently, for the CmRegisterCallback( ) solution, 2 problems, 1 is the case condition I posted above, 2 is how to correspond to some specific registry.

For the ZwRegNotifyChange( ) solution, I need to figure out the parameters and probably I need start a thread with a loop to monitor the registry change.

Hope this time I make the problem clear.

Thanks and Regards,
Jeff

12

> For the ZwRegNotifyChange( ) solution, I need to figure out the parameters

Surely figuring out the parameters of the documented ZwNotifyChangeKey call is better then hooking.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

13

You do realize that using code from Regmon sources requires a license.
Since this is now owned by Microsoft I have serious doubts you would get
such a license.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> Hi All,
>
> This is continuing with my last message.
>
> I am trying to dig into the CmRegisterCallback( ) solution. Now I am trying to monitor the RegNtSetValueKey notification. Using the DebugView tool, I found that this RegNtSetValueKey condition is always matching even if I did not change any value; while the RegNtRenameKey condition never come even if I try to rename a key.
>
>
> The callback function is basically as follows:
>
> NTSTATUS
> RegmonHookCallback(
> PVOID Context,
> PVOID RegFunction,
> PVOID Argument)
> {
>
> UNREFERENCED_PARAMETER(Argument);
> UNREFERENCED_PARAMETER(Context);
>
> switch( (ULONG)RegFunction ) {
>
> case RegNtPostSetValueKey:
>
> DbgPrint(“Post Set Value is notified\n”);
> break;
>
> case RegNtSetValueKey:
> DbgPrint(“Set Value is notified\n”);
> break;
>
> case RegNtRenameKey:
> DbgPrint(“Rename key is notified\n”);
> break;
>
> default:
>
> break;
> }
>
> return STATUS_SUCCESS;
> }
>
>
> I build for XP driver.
>
> Please help me out what goes wrong.
>
> Thanks in advance!
>
> Best Regards,
> Jeff

14

As far as rename key. What utility are you using for the rename test? XP
regedit does not use NtRenameKey. Vista does.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Tuesday, February 07, 2012 11:22 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard
filter driver

Hi All,

This is continuing with my last message.

I am trying to dig into the CmRegisterCallback( ) solution. Now I am trying
to monitor the RegNtSetValueKey notification. Using the DebugView tool, I
found that this RegNtSetValueKey condition is always matching even if I did
not change any value; while the RegNtRenameKey condition never come even if
I try to rename a key.

The callback function is basically as follows:

NTSTATUS
RegmonHookCallback(
PVOID Context,
PVOID RegFunction,
PVOID Argument)
{

UNREFERENCED_PARAMETER(Argument);
UNREFERENCED_PARAMETER(Context);

switch( (ULONG)RegFunction ) {

case RegNtPostSetValueKey:

DbgPrint(“Post Set Value is notified\n”);
break;

case RegNtSetValueKey:
DbgPrint(“Set Value is notified\n”);
break;

case RegNtRenameKey:
DbgPrint(“Rename key is notified\n”);
break;

default:

break;
}

return STATUS_SUCCESS;
}

I build for XP driver.

Please help me out what goes wrong.

Thanks in advance!

Best Regards,
Jeff

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

15

Bill,

That statement is not entirely true, most of XP does not use
RenameKey, for example RegEdit does not, but I have seen it issued in
the kernel, and it is documented by Microsoft for use with XP onward.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Bill Wandel” wrote in message
news:xxxxx@ntdev:

> As far as rename key. What utility are you using for the rename test? XP
> regedit does not use NtRenameKey. Vista does.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.com
> Sent: Tuesday, February 07, 2012 11:22 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard
> filter driver
>
> Hi All,
>
> This is continuing with my last message.
>
> I am trying to dig into the CmRegisterCallback( ) solution. Now I am trying
> to monitor the RegNtSetValueKey notification. Using the DebugView tool, I
> found that this RegNtSetValueKey condition is always matching even if I did
> not change any value; while the RegNtRenameKey condition never come even if
> I try to rename a key.
>
>
> The callback function is basically as follows:
>
> NTSTATUS
> RegmonHookCallback(
> PVOID Context,
> PVOID RegFunction,
> PVOID Argument)
> {
>
> UNREFERENCED_PARAMETER(Argument);
> UNREFERENCED_PARAMETER(Context);
>
> switch( (ULONG)RegFunction ) {
>
> case RegNtPostSetValueKey:
>
> DbgPrint(“Post Set Value is notified\n”);
> break;
>
> case RegNtSetValueKey:
> DbgPrint(“Set Value is notified\n”);
> break;
>
> case RegNtRenameKey:
> DbgPrint(“Rename key is notified\n”);
> break;
>
> default:
>
> break;
> }
>
> return STATUS_SUCCESS;
> }
>
>
> I build for XP driver.
>
> Please help me out what goes wrong.
>
> Thanks in advance!
>
> Best Regards,
> Jeff
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

16

Don,

I was only referring to regedit.

Bill

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, February 08, 2012 10:17 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard
filter driver

Bill,

That statement is not entirely true, most of XP does not use RenameKey,
for example RegEdit does not, but I have seen it issued in the kernel, and
it is documented by Microsoft for use with XP onward.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Bill Wandel” wrote in message
news:xxxxx@ntdev:

> As far as rename key. What utility are you using for the rename test?
> XP regedit does not use NtRenameKey. Vista does.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.com
> Sent: Tuesday, February 07, 2012 11:22 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Hook System service ZwSetValueKey( ) with keyboard
> filter driver
>
> Hi All,
>
> This is continuing with my last message.
>
> I am trying to dig into the CmRegisterCallback( ) solution. Now I am
> trying to monitor the RegNtSetValueKey notification. Using the
> DebugView tool, I found that this RegNtSetValueKey condition is always
> matching even if I did not change any value; while the RegNtRenameKey
> condition never come even if I try to rename a key.
>
>
> The callback function is basically as follows:
>
> NTSTATUS
> RegmonHookCallback(
> PVOID Context,
> PVOID RegFunction,
> PVOID Argument)
> {
>
> UNREFERENCED_PARAMETER(Argument);
> UNREFERENCED_PARAMETER(Context);
>
> switch( (ULONG)RegFunction ) {
>
> case RegNtPostSetValueKey:
>
> DbgPrint(“Post Set Value is notified\n”);
> break;
>
> case RegNtSetValueKey:
> DbgPrint(“Set Value is notified\n”);
> break;
>
> case RegNtRenameKey:
> DbgPrint(“Rename key is notified\n”);
> break;
>
> default:
>
> break;
> }
>
> return STATUS_SUCCESS;
> }
>
>
> I build for XP driver.
>
> Please help me out what goes wrong.
>
> Thanks in advance!
>
> Best Regards,
> Jeff
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

17

Hi Don and Bill,

Thanks for the information. I used regedit to do the test.

Best Regards,
Jeff