A) How to read MMIO of PCI device.
I want to reserch MMIO of PCI device on Windows Vista.
( and I don’t want to write MMIO. )
So , I’ll try as followings.
Create filter driver.
This driver have device interface and the inteface use READ_REGISTER_XXX.
I do not know READ_REGISTER_XXX can read other device’s MMIO.
Create user mode application.
This application calls the device interface to read MMIO.
Is this a good idea ?
or does anyone know more better way ?
B) How to check process name in driver.
I will create mini filter/legacy filter driver on Windows Vista.
And I want to check process name when IRP_MJ_CREATE is called.
But I could not found official way to get Image name,
But two other ways are found.
using PsGetProcessImageFileName
This is undocumented API.
look for image name like as rootkit.
Get EPROCESS’ pointer by PsGetCurrentProcess.
And search ImageName from the pointer.
Windows model does not allow you to access the registers of the device which already has a driver, i.e. your module is not it’s functional driver.
You can do this by some hackery, but the reliability is not guaranteed. First of all, there is no ways to sycnhronize your accesses with the one done by the functional driver.
And, if you’re writing a functional driver for the device (not a filter driver) - then MmMapIoSpace on translated resources in MN_START_DEVICE PnP IRP handler, this will give you the virtual addresses of the registers. Then access them using READ_REGISTER_XXX.
KMDF has its own much simpler wrapper around all of this.
using PsGetProcessImageFileName
look for image name like as rootkit.
Develop a helper inverted-call-based user-mode service which will do this using psapi GetModuleFileNameEx and return the pathname to the driver.
This is how Windows Firewall in XP SP2 implemented the image-pathname-based rules.
Note that psapi!GetModuleFileNameEx, in XP SP2, was implemented as NtQueryInformationProcess for a PEB address and NtReadVirtualMemory to get the PEB data, the path is in the RTL_USER_PROCESS_PARAMETERS which is a part of the PEB.
In more modern OSes, psapi!GetModuleFileNameEx can (I don’t know for sure) map to some new ZwXxx syscall which gets this information from the kernel itself.
use Ps notification callbacks, which will notify your code about process creation and image loads to this process.
Also, reconsider all of this once more. Image-pathname-based checks are usually worse then ACL-based checks. So, running your app as a service under specific user, and just check the ACL-based access rights of this user in the driver is maybe much simpler and more robust.