6

I am planning to write a basic windows registry filter in C. The purpose of the filter is to hook all (user and kernel privileged) registry calls so that I can use them in my program. I am basically copying regmon/process monitor by Mark Rusinovich but more basic.

My question is, once the filter is written in C, how do you get the system to implement the custom behaviour and to not implement the original intended behaviour of the registry calls?

I am using windows 7

EDIT: I am trying to do this as part of a hobby c++ project which can hook all registry calls.

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
user997112
  • 29,025
  • 43
  • 182
  • 361

2 Answers2

14

There are special functions for that. See CmRegisterCallback(), CmRegisterCallbackEx() and Filtering Registry Calls on MSDN.

As for just installing a kernel mode driver, you may use the Service Controller (sc.exe). Use sc create [service name] binPath= [path to your .sys file] type= kernel to create a kernel-mode service and sc start [service name] to start it. Don't forget to sc stop and sc delete it before making changes to the driver.

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
  • Hi, could you repeat/elaborate what you have just said but in a smaller steps. At the moment I have some sample code in C which I am going to look at and work out which parts I need, but i'm not an expert in these areas of development. Are you just saying I can start my driver from the cmd command prompt by compiling and running the C code? – user997112 Oct 19 '11 at 23:22
  • @user997112: Yes, when your driver.sys is finally compiled, you can start it from the command line. Note that it must be compiled as a driver, not program, use kernel mode API functions and be structured in a special way as all kernel drivers are (e.g. have DriverEntryRoutine(), be unloadable unless you're OK rebooting every time you need to change it, and there's much more to kernel mode driver development than just this). – Alexey Frunze Oct 19 '11 at 23:28
  • Ok thanks, just one question: you mention a file named driver.sys is this going to contain my C code? This will be the only file I produce and then I just run it as you said? I thought I would only be producing a .c file containing all the C code? – user997112 Oct 20 '11 at 00:06
  • @user997112: Don't you need to compile your source code (.c files) to a binary file (e.g. .exe) in order to execute it? Same with drivers. – Alexey Frunze Oct 20 '11 at 10:03
  • Hi Alex, I have more of an idea now. I followed some online examples of creating a simple driver so I understand the relationship between the .exe, the .sys and the .c files – user997112 Oct 20 '11 at 14:55
2

Basically drivers are considered as Services as such you can utilize the Service COntrol manager Using the aforementioned APIs what you basically achieve is the appropriate entries in the registry under the Services key. For a sample of how to achieve this check this article, scroll to the bottom to the section named "Dynamically Loading and Unloading the Driver". Furthermore if you want to achieve easy debugging/development and are using VS2k10 I'd suggest you use the free VisualDDK I believe this should be enough to get you going.

LordDoskias
  • 3,121
  • 3
  • 30
  • 44
  • Thanks for replying. I managed to obtain a copy of the regmon source code asin all the .c and .h files. Am I right in that this will not contain anything related to the service details you mentioned? The service driver registration would have been something the .exe installer would have done? – user997112 Oct 19 '11 at 23:20
  • Yes, I don't know how regmon is structured, but usually the way installers work is that they have the driver embedded in them as a resource so once you start them, they unpack it and then install it using the Service Control manager routines or other methods (which boils down to the same thing) – LordDoskias Oct 19 '11 at 23:53