15,892,161 members
Sign in
Sign in
Email
Password
Forgot your password?
Sign in with
home
articles
Browse Topics
>
Latest Articles
Top Articles
Posting/Update Guidelines
Article Help Forum
Submit an article or tip
Import GitHub Project
Import your Blog
quick answers
Q&A
Ask a Question
View Unanswered Questions
View All Questions
View C# questions
View C++ questions
View Javascript questions
View Visual Basic questions
View Python questions
discussions
forums
CodeProject.AI Server
All Message Boards...
Application Lifecycle
>
Running a Business
Sales / Marketing
Collaboration / Beta Testing
Work Issues
Design and Architecture
Artificial Intelligence
ASP.NET
JavaScript
Internet of Things
C / C++ / MFC
>
ATL / WTL / STL
Managed C++/CLI
C#
Free Tools
Objective-C and Swift
Database
Hardware & Devices
>
System Admin
Hosting and Servers
Java
Linux Programming
Python
.NET (Core and Framework)
Android
iOS
Mobile
WPF
Visual Basic
Web Development
Site Bugs / Suggestions
Spam and Abuse Watch
features
features
Competitions
News
The Insider Newsletter
The Daily Build Newsletter
Newsletter archive
Surveys
CodeProject Stuff
community
lounge
Who's Who
Most Valuable Professionals
The Lounge
The CodeProject Blog
Where I Am: Member Photos
The Insider News
The Weird & The Wonderful
help
?
What is 'CodeProject'?
General FAQ
Ask a Question
Bugs and Suggestions
Article Help Forum
About Us
Search within:
Articles
Quick Answers
Messages
Comments by Dale Seeley (Top 96 by date)
Dale Seeley
14-Nov-22 22:38pm
View
Hoping your still around I have done everything you said but still getting gibberish or nothing at all.
Dale Seeley
14-Nov-22 14:18pm
View
OK I will try this once I'm home today. Would you be willing to take a look at the project if I upload it to my Google drive? If not I still thank you for all your help please let me know
Dale Seeley
14-Nov-22 3:59am
View
maybe a bit of sudo code if you could, it would go a long way in helping me to understand according to my code :) I know your basically spoon feeding me here and its honestly what i need at this point because Ive been researching this and many other things for months now and i know im very close to getting it right
Dale Seeley
14-Nov-22 3:49am
View
This is truly helpful thank you for all this so much I understand the first two replies but Marshal.StructureToPtr has me a bit confused now. I have the PINvoke FILTER_MESSAGE_HEADER no problem and also changed the lpMessageBuffer to Intptr and also created the unmanaged memory block using Marshal.AllocHGlobal(Marshal.SizeOf<filtermessageheader>()) like so..
Dim FMH As New FILTER_MESSAGE_HEADER
Dim FltMessage = Marshal.AllocHGlobal(Marshal.SizeOf(FMH))
and releasing it by calling..
Marshal.FreeHGlobal(FltMessage)
And here is the code for Marshal.StructureToPtr..
Dim FltPointer = Marshal.StructureToPtr(FMH, FltMessage, False)
If FilterGetMessage(Communication_Port_Handle, FltPointer, Marshal.SizeOf(FltMessage),
IntPtr.Zero) = True Then
Invoke(Sub() RichTextBox1.AppendText("FILTERGETMESSAGE: " & FltPointer))
End If
But this line of code errors saying expression does not produce a value
Dim FltPointer = Marshal.StructureToPtr(FMH, FltMessage, False)
thank you so much for your replys and patients.
Dale Seeley
14-Nov-22 2:42am
View
Another question my FilterGetMessage messagebuffer is intptr but the msdn shows to use FILTER_MESSAGE_HEADER for messagebuffer so how can I pass the message as intptr? or is it done in a different way?
Dale Seeley
14-Nov-22 2:13am
View
This is my FILTER_MESSAGE_HEADER Code
<structlayout(layoutkind.sequential)>
Public Structure FILTER_MESSAGE_HEADER
Public ReplyLength As UInt32
Public MessageId As UInt64
End Structure
Dale Seeley
14-Nov-22 2:10am
View
awesome I was definatly a bit confused with FILTER_MESSAGE_HEADER because I could not understand how having the struct in my client application would use it. It is used in the driver does it also need to be in the client? Byref or ByVal?
Dale Seeley
14-Nov-22 0:35am
View
still no luck :(
Dale Seeley
14-Nov-22 0:33am
View
thank you for this point I will check if that helps I appricate that
Dale Seeley
21-Oct-22 2:30am
View
I am well aware of all the communication port connections on both sides but my .Net does not receive any messages I send with the driver so I thought It was the transition between managed and unmanaged code causing this to happen
Dale Seeley
21-Oct-22 2:28am
View
Hello Again Rick I have researched 6 different books on c++/cli and have a firm understanding of what it is and what it does. I have a minifilter driver coded in c++ ready and working and also have the cli project sending simple messages to the vb.net application. Now Im lost as to how to receive the messages sent by communication port. I know structs are not the same in managed code to unmanaged code and thats where c++/cli comes in right? what is ment by exported interface? how does this all fit together? thank you in advance
Dale Seeley
5-Oct-22 19:41pm
View
Thank you very very much for this starting point Rick. Does this mean having my driver in C code is alright and still possible to do the rest? I will read every link you have supplied. Is there any talk of a dll interface? Do you mean cli? Or what they call now clr in visual studio? Also is it best practice or just the way it's done to add the cli dll to the driver project and then make sure dependency is set in that manner?
Dale Seeley
26-Jul-22 3:17am
View
How can I extract the message sent from the driver to my client application?
here is the code I have so far and status returns 0 which is success I believe but after that I get a access violation error reading protected memory to that effect
Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(BUFFER_SIZE - 1) {}
Dim headerSize As Integer = Marshal.SizeOf(dataReceive.messageHeader)
Dim dataSize As Integer = Marshal.SizeOf(dataReceive) + BUFFER_SIZE
Dim status = FilterGetMessage(OpenPortHandle, dataReceive.messageHeader, dataSize, Nothing)
MsgBox("FltGetMessage Status Code: " & status)
when using this code my DeviceIoControl code no longer gets the IO_GET_CLIENT_PATH and if I remove the DeviceIoControl code it errors with System.AccessViolationException Attempted to read or write protected memory on the End Sub line? this is strange behavior please help. thank you in advance
Dale Seeley
26-Jul-22 0:45am
View
Deleted
but this seems to be interfering with my IOCTL code in my Client application
If DeviceIoControl(hFile,
IO_GET_CLIENT_PATH,
Nothing,
0,
PROCPATH,
StringByte,
Bytes_IO,
Nothing) Then
IO_GET_CLIENT_PATH accessviolation attempted to read or write protected memory error? its strange because without the getmessage stuff it works fine but when calling get message it fails.. any ideas why?
Dale Seeley
26-Jul-22 0:42am
View
Yes after a bit of work this is the correct code
Dim dataSize As Integer = Marshal.SizeOf(dataReceive) + BUFFER_SIZE
<structlayout(layoutkind.sequential)>
Public Structure DATA_RECEIVE
Public messageHeader As FILTER_MESSAGE_HEADER
<marshalas(unmanagedtype.byvalarray, sizeconst:="BUFFER_SIZE)">
Public messageContent() As Byte
End Structure
thank you for your help!
Dale Seeley
25-Jul-22 12:28pm
View
I understand that sir I just need some time to make the changes and test it.
Dale Seeley
25-Jul-22 12:01pm
View
Yup I do my testing with windbg and vmware with symbols I will test and debug thank you very much I'll post again today if there is any issues and if not mark this as answered 😀
Dale Seeley
25-Jul-22 11:12am
View
OK! That's great! Thank you very much I see now what your saying sorry I wasn't clear before I will change this once I get home today and hopefully see some progress. I have one more area I am unsure about and that is the Sendmessage part in my driver can you confirm if this looks correct?
Dale Seeley
25-Jul-22 8:30am
View
So the message content is prone to change and be dynamic I have looked at the usage of fltGetMessage but because C coding conversion to VB.NET can be tricky it's hard for me to see what I need to change. How is the message content size not the same? Thank you in advance.
Dale Seeley
25-Jul-22 0:01am
View
I have found this code but I am unaware of how to convert this to VB.Net
public unsafe struct DATA_RECEIVE
{
public FILTER_MESSAGE_HEADER messageHeader;
public fixed byte messageContent[BUFFER_SIZE];
}
Dale Seeley
24-Jul-22 21:30pm
View
I have created a new question here please check it out Randor when you can I would greatly apricate it and thank you for all your help up to now!
https://www.codeproject.com/Questions/5338073/Fltgetmessage-returns-error-code-2147942406
Dale Seeley
24-Jul-22 21:19pm
View
In my VB.NET application I changed the Buffer to 4kb instead of 1024 from:
Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(BUFFER_SIZE - 1) {}
To this:
Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(1 << 12) {}
Now it shows 4097 But it doesn't fix my issue?
Dale Seeley
24-Jul-22 20:43pm
View
It appears removing Byref was the cause of the invalid handle thank you but now I get a new returned error code 0x8007007A and decimal 2147942522 which states ERROR_INSUFFICIENT_BUFFER. I would imagine this to be the buffer length I specify in my VB.NET application but its set to max, any ideas?
Dale Seeley
24-Jul-22 20:39pm
View
Once I have changed that the error code returned now is hex 0x8007007A and decimal 2147942522 which states ERROR_INSUFFICIENT_BUFFER. Are you able to see where in my VB.NET code this is happening?
Dale Seeley
24-Jul-22 20:31pm
View
thank you for the pointer I will change that.
Dale Seeley
23-Jul-22 20:43pm
View
This is the new updated code I have uploaded it to my google drive
https://drive.google.com/drive/folders/1Hv957hwAJsE8KDGs9UfV94AG5a9Bneth?usp=sharing
Dale Seeley
22-Jul-22 20:17pm
View
Here is the link!
https://drive.google.com/drive/folders/1fdamAJF-untSeD-xzFyfmf8a2G8B36Ba?usp=sharing
Dale Seeley
22-Jul-22 19:45pm
View
I am about to upload the project to my google drive please let me know if your online now or can take a look I am lost. Thank you Randor C coding is still a challenge for me and not my strong point.
Dale Seeley
21-Jul-22 12:07pm
View
Sure I'll upload it to my Google drive after my work today thank you very much for taking time for me.
Dale Seeley
21-Jul-22 8:33am
View
Is the code looking correct though? Is there anything missing and is Rtlinitunicodestring used so I can copy memory?
Dale Seeley
20-Jul-22 23:47pm
View
Of course my MiniDriverPreOperation is probably incorrect and missing allot but was my attempt to send the message without using structs but to send the file path I am using UnicodeString and RtlCopyMemory says its incompatible.
Dale Seeley
20-Jul-22 23:37pm
View
Here Is My FLT_PREOP_CALLBACK_STATUS
FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(
PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext)
{
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
if ((Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection))
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
UNICODE_STRING DoSPath;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (NT_SUCCESS(status)) {
status = FltParseFileNameInformation(FileNameInfo);
if (NT_SUCCESS(status)) {
if (FileNameInfo->Name.MaximumLength < 260) {
status = IoVolumeDeviceToDosName(FltObjects->FileObject->DeviceObject, &DoSPath);
if (NT_SUCCESS(status))
{
//check here to determine if the process should be allowed or not to run
//Data->IoStatus.Status = STATUS_ACCESS_DENIED;
//Data->IoStatus.Information = 0;
if (SendClientPort) {
ULONG PROC_TAG = 0;
UNICODE_STRING processName;
processName.Length = 0;
processName.MaximumLength = (USHORT)DoSPath.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength + 2;
processName.Buffer = ExAllocatePoolWithTag(PagedPool, processName.MaximumLength, PROC_TAG);
RtlCopyUnicodeString(&processName, &DoSPath);
RtlAppendUnicodeStringToString(&processName, &Data->Iopb->TargetFileObject->FileName);
KdPrint(("%wZ \r\n", processName));
RtlCopyUnicodeString(&ImageP, &processName);
//RtlCopyMemory(processName, processName.Buffer, processName.MaximumLength);
LARGE_INTEGER timeout;
timeout.QuadPart = 10000 * 100;
FltSendMessage(FilterHandle, &SendClientPort, processName.Buffer, processName.MaximumLength, NULL, NULL, &timeout);
}
}
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
Dale Seeley
20-Jul-22 23:31pm
View
Ok this is what I am reading and understanding up to now about FltSendMessage. This takes 7 parameters like so:
1. Filter Handle
2. Client Port
3. Message Buffer
4. Message Buffer Length
5. Reply Buffer
6. Reply Buffer Length
7. Timeout
My book is saying the driver can send any buffer/message described by the third parameter Message Buffer with the length of Message Buffer. Typically the driver will define some structure in a common header file the client can include as well called FileBackupPortMessage. This struct contains the file name length and the file name itself but This seems to be my issue because I am unaware of how to interact with this structure or any from my client using VB.NET. I understand VB.NET is not your strong point to offer help but might there be a way to send the message without the use of this struct? there is also the use of another struct _FILTER_MESSAGE_HEADER if a reply is expected this structure indicates the reply length in bytes and the message ID which again the client should use if it calls FilterReply-Message. Timeout specifies the time waited by the driver to send the message to the client. Unless any of this is incorrect the code should be something like this in C
1. Filter Handle declared global PFLT_FILTER FilterHandle;
2. Client Port declared global PFLT_PORT SendClientPort;
and the rest of the example code is placed within the FLT_PREOP_CALLBACK_STATUS:
if (SendClientPort) {
USHORT nameLen = context->FileName.Length;
USHORT len = sizeof(FileBackupPortMessage) + nameLen;
auto msg = (FileBackupPortMessage*)ExAllocatePoolWithTag(PagedPool, len, DRIVER_TAG);
if (msg) {
msg->FileNameLength = nameLen / sizeof(WCHAR);
RtlCopyMemory(msg->FileName, context->FileName.Buffer, nameLen);
LARGE_INTEGER timeout;
timeout.QuadPart = -10000 * 100; // 100msec
FltSendMessage(gFilterHandle, &SendClientPort, msg, len,
nullptr, nullptr, &timeout);
ExFreePool(msg);
}
}
FltSendMessage in the driver example has parameters 5 and 6 as nullptr because to my understanding the example is only sending a message and does not expect a reply which I am sure I will need in order to block or allow process creation.
Dale Seeley
20-Jul-22 10:17am
View
OK great I will post the driver code today after work if your still here
Dale Seeley
20-Jul-22 8:23am
View
The structure part is actually what I am a bit confused about because I am not sure how to interact with it in VB.NET. I can confirm the connection seems good but then I use fltgetmessage in the usermode application or should I be using replymessage? I will give it another try after work today and post some updates thank you for your response and start in the right direction.
Dale Seeley
19-Jul-22 8:23am
View
Yes I can see from my usermode application the return value from the communication port is zero and the port passed to my handle variable is normal. I can post or upload the project to my Google drive for review later today. Thank you for your continuous reply patience and guidance.
Dale Seeley
19-Jul-22 1:08am
View
Hello again I have created and receive a proper port number for the communication port now I am trying to figure out fltSendmessage and reply so I can impalement the Io blocking feature to allow or block process creation. Can you point me to the next step thanks Randor.
Dale Seeley
13-Jul-22 8:23am
View
I revised the code, made allot of changes since you seen it last and no longer have any warnings to any unitialized code. The user mode application still receives a communication port handle but I am unsure if it's correct or not. I will upload the project like last time to my Google drive if you have time to look things over I would greatly appreciate it. 🙂
Dale Seeley
11-Jul-22 22:45pm
View
Interesting to know about Assert, so in general NT_ASSERT and FLT_ASSERT is to throw certain errors or to check the outcome if a value is valid or not?. If Assert just throws an error when a value is expected can't that lead to issues? Is this a form of lazy coding? I will revise the C code for variables that are not initialized with values is that why I am not able to connect to the communication port?. Thank you for continuing to coach me through this.
Dale Seeley
8-Jul-22 2:07am
View
I actually have no idea what FLT_ASSERT does to be honest so I removed it and revised the code in my driver to the information I found in my book "Windows Kernel Programming" chapter 10 mini filter driver. I can see now when the driver is started My filter connection port is created and within the user mode application I make a call to FilterConnectCommunicationPort and the port handle is as follows, 1818164390016. When I exit and restart the user mode application that number changes but I am not sure if this number is correct as it looks to long compared to the IOCTL port number that is created. I assume that number to be the client port. Please advise and if you have any time I can reupload the project to my google drive if you could be so nice to take a look. thanks again Randor
Dale Seeley
29-Jun-22 2:16am
View
Might be of value to note that the driver upon loading and unloading a time or two had no BSOD but now without changing anything it fails. I am not sure if the communication port is being disposed of and created again properly or if that might be the issue it looks like maybe the driver is ok but the user mode application might have some issue? please advise. thank you Randor
Dale Seeley
29-Jun-22 2:14am
View
Here is another output
10: kd> !analyze -v
Connected to Windows 10 22000 x64 target at (Wed Jun 29 00:11:11.874 2022 (UTC - 6:00)), ptr64 TRUE
Loading Kernel Symbols
.................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................
................................................................
..............................................................
Loading User Symbols
......................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.........................
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the BugCheck
Arg2: fffff80231ba1672, Address of the instruction which caused the BugCheck
Arg3: fffff58709e59830, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2187
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 27410
Key : Analysis.Init.CPU.mSec
Value: 2811
Key : Analysis.Init.Elapsed.mSec
Value: 2766284
Key : Analysis.Memory.CommitPeak.Mb
Value: 92
Key : Bugcheck.Code.DumpHeader
Value: 0x3b
Key : Bugcheck.Code.KiBugCheckData
Value: 0x3b
Key : Bugcheck.Code.Register
Value: 0x3
Key : WER.OS.Branch
Value: co_release
Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z
Key : WER.OS.Version
Value: 10.0.22000.1
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000420
BUGCHECK_P2: fffff80231ba1672
BUGCHECK_P3: fffff58709e59830
BUGCHECK_P4: 0
CONTEXT: fffff58709e59830 -- (.cxr 0xfffff58709e59830)
rax=fffff80231ba1630 rbx=0000000000000000 rcx=ffffe2835e64ef10
rdx=0000000000000000 rsi=ffffe2835e64ef10 rdi=ffffe2835e185570
rip=fffff80231ba1672 rsp=fffff58709e5a250 rbp=fffff58709e5a310
r8=0000000000000000 r9=0000000000000000 r10=ffffe2835eee97f8
r11=fd55515555555555 r12=ffffe283602c7d38 r13=0000000000000000
r14=0000000000000000 r15=ffffe28363284690
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x1672:
fffff802`31ba1672 cd2c int 2Ch
Resetting default scope
PROCESS_NAME: IOCTL_DRIVER_APP.exe
STACK_TEXT:
fffff587`09e5a250 fffff802`20f47548 : ffffe283`5e64ef10 00000000`00000000 00000000`00000000 fffff587`00000000 : Bitfilter+0x1672
fffff587`09e5a290 fffff802`20f4955b : ffffe283`5eee97e0 ffffda8f`c17d4a30 00000000`00000000 ffffffff`8000403c : FLTMGR!FltpOpenClientPort+0x434
fffff587`09e5a350 fffff802`20f4dbba : ffffe283`5b4aec90 fffff587`09e5a409 ffffe283`5fed7a00 ffffe283`5b4aec90 : FLTMGR!FltpMsgDispatch+0x18b
fffff587`09e5a3c0 fffff802`22d02f65 : 00000000`00000000 fffff802`22cc5d33 ffffda8f`c17d4a78 ffffda8f`c17d4960 : FLTMGR!FltpCreate+0x55a
fffff587`09e5a470 fffff802`23153667 : ffffe283`5b4aec90 ffffe283`5b4aec90 fffff587`09e5a770 ffffc40c`00000040 : nt!IofCallDriver+0x55
fffff587`09e5a4b0 fffff802`23172562 : fffff587`09e5a770 fffff802`23152dd0 ffffda8f`bc1f22a0 ffffe283`5e5f4aa0 : nt!IopParseDevice+0x897
fffff587`09e5a670 fffff802`231719d1 : ffffc40c`79947920 fffff
Dale Seeley
29-Jun-22 1:29am
View
Hello again Randor I believe I have the symbols set up correctly but I am unsure whats happening here is a output of my windbg. the VMware does not BSOD but there is an Assertion failure
Microsoft (R) Windows Debugger Version 10.0.25136.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_2
Waiting to reconnect...
Connected to Windows 10 22000 x64 target at (Tue Jun 28 23:25:44.066 2022 (UTC - 6:00)), ptr64 TRUE
Kernel Debugger connection established.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 22000 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 22000.1.amd64fre.co_release.210604-1628
Machine Name:
Kernel base = 0xfffff802`22a00000 PsLoadedModuleList = 0xfffff802`236296b0
Debug session time: Tue Jun 28 23:25:08.905 2022 (UTC - 6:00)
System Uptime: 0 days 1:17:54.711
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus+0x1:
fffff802`22e1dbf1 c3 ret
1: kd> g
Assertion failure - code c0000420 (first chance)
Bitfilter+0x1672:
fffff802`31b91672 cd2c int 2Ch
11: kd> g
Continuing an assertion failure can result in the debuggee
being terminated (bugchecking for kernel debuggees).
If you want to ignore this assertion, use 'ahi'.
If you want to force continuation, use 'gh' or 'gn'.
Dale Seeley
17-Jun-22 2:26am
View
8: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the BugCheck
Arg2: fffff807689f16bc, Address of the instruction which caused the BugCheck
Arg3: ffffb786b1d7f820, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3358
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 5734
Key : Analysis.Init.CPU.mSec
Value: 421
Key : Analysis.Init.Elapsed.mSec
Value: 4829
Key : Analysis.Memory.CommitPeak.Mb
Value: 96
Key : WER.OS.Branch
Value: co_release
Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z
Key : WER.OS.Version
Value: 10.0.22000.1
FILE_IN_CAB: 061622-6187-01.dmp
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000420
BUGCHECK_P2: fffff807689f16bc
BUGCHECK_P3: ffffb786b1d7f820
BUGCHECK_P4: 0
CONTEXT: ffffb786b1d7f820 -- (.cxr 0xffffb786b1d7f820)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffc08833eab570
rdx=0000000000000000 rsi=ffffc08833eab570 rdi=ffffc088328c1420
rip=fffff807689f16bc rsp=ffffb786b1d80240 rbp=ffffb786b1d80310
r8=0000000000000000 r9=0000000000000000 r10=ffffc088320f71c8
r11=0000000070634d46 r12=ffffc08833ead838 r13=0000000000000000
r14=0000000000000000 r15=ffffc088362a8270
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x16bc:
fffff807`689f16bc cd2c int 2Ch
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: IOCTL_DRIVER_APP.exe
STACK_TEXT:
ffffb786`b1d80240 00000000`0000f10d : 00000000`00000001 ffffc088`362a8270 00000000`00000000 00000001`00000000 : Bitfilter+0x16bc
ffffb786`b1d80248 00000000`00000001 : ffffc088`362a8270 00000000`00000000 00000001`00000000 00000001`33ead838 : 0xf10d
ffffb786`b1d80250 ffffc088`362a8270 : 00000000`00000000 00000001`00000000 00000001`33ead838 ffffc088`328c1420 : 0x1
ffffb786`b1d80258 00000000`00000000 : 00000001`00000000 00000001`33ead838 ffffc088`328c1420 00000000`00000001 : 0xffffc088`362a8270
SYMBOL_NAME: Bitfilter+16bc
MODULE_NAME: Bitfilter
IMAGE_NAME: Bitfilter.sys
STACK_COMMAND: .cxr 0xffffb786b1d7f820 ; kb
BUCKET_ID_FUNC_OFFSET: 16bc
FAILURE_BUCKET_ID: 0x3B_C0000420_Bitfilter!unknown_function
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {23ee73b4-ac33-c70d-8b59-1288cfa8578b}
Followup: MachineOwner
---------
8: kd> .cxr 0xffffb786b1d7f820
rax=0000000000000000 rbx=0000000000000000 rcx=ffffc08833eab570
rdx=0000000000000000 rsi=ffffc08833eab570 rdi=ffffc088328c1420
rip=fffff807689f16bc rsp=ffffb786b1d80240 rbp=ffffb786b1d80310
r8=0000000000000000 r9=0000000000000000 r10=ffffc088320f71c8
r11=0000000070634d46 r12=ffffc08833ead838 r13=0000000000000000
r14=0000000000000000 r15=ffffc088362a8270
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x16bc:
fffff807`689f16bc cd2c int 2Ch
8: kd> lmvm Bitfilter
Browse full module list
start end module name
fffff807`689f0000 fffff807`689f8000 Bitfilter T (no symbols)
Dale Seeley
17-Jun-22 1:48am
View
Ok I have created the VMware and also connected Windbg x64 and can break and resume the debugger. Can you give me links or advise how to properly use and view the exceptions that cause the BSOD? I am unsure of the command line arguments or how to pinpoint the issues while the mini-filter driver is running or causing the error. thank you for your time I look forward to hearing back from you.
Dale Seeley
11-Jun-22 2:11am
View
Awesome thank you I set up virtual machines or have often in the past so it's no issue but I've been developing on my local machine for months with no lock outs. Just curious why would you be running such a risk or why does windows lock up, I've never experienced that before
Dale Seeley
11-Jun-22 2:03am
View
On the local machine no vm
Dale Seeley
11-Jun-22 2:02am
View
Gotcha does there appear to be anything wrong with the driver code at the moment?
Dale Seeley
11-Jun-22 1:53am
View
I'm using Visual Studio 2019
Dale Seeley
11-Jun-22 1:52am
View
Yup BSOD :(
Dale Seeley
11-Jun-22 1:48am
View
Actually I have tried that also thinking the exact same thing I will try now but I'm pretty sure it will BSOD
Dale Seeley
11-Jun-22 1:37am
View
Thank you for taking a look allowing or blocking processes is causing me so much headache and prolonging my development by months now so im very greatful for this help to understand and get it done hopefully.
Dale Seeley
11-Jun-22 1:29am
View
https://drive.google.com/drive/folders/1_a8BwvZ_SNBy_SYmJg0WL5rJI3ssOS9I?usp=sharing
Dale Seeley
11-Jun-22 1:19am
View
Is there any way I can pass the project to you?
Dale Seeley
11-Jun-22 1:18am
View
I added the line above where you suggested but still it does not connect
Dale Seeley
11-Jun-22 1:11am
View
Tomorrow I will disclose full code for you to analyze please if you can
Dale Seeley
11-Jun-22 1:10am
View
It returns a minus number -2147024773
Dale Seeley
11-Jun-22 1:03am
View
My .NET application runs as Administrator I will try now
Dale Seeley
11-Jun-22 0:41am
View
OK so adding RtlSetDaclSecurityDescriptor(sd,TRUE,NULL,FALSE) in the driver entry before InitializeObjectAttributes() is what your saying might help?
Dale Seeley
10-Jun-22 23:10pm
View
My user mode counter part is a VB.Net winform. How do I go abouts assigning the descriptor to the communication port? Is it shown in the example? I would imagine of course it is but where? 😅
Dale Seeley
10-Jun-22 17:39pm
View
I asked maybe a silly question at first I will protect the port and service/driver from any other process which tries to kill it along with the program itself but what areas do you know of for drivers that should be restricted? I am fairly new to this and having your insight in very valuable.
Dale Seeley
10-Jun-22 17:35pm
View
Deleted
Eventually it will be a commercial security product restricting access to SYSTEM meaning protecting crucial areas of the OS? can you give a brief explanation when you have a few minutes.
Dale Seeley
10-Jun-22 14:37pm
View
Good point I will do it that way to see it work and then secure it. Is it difficult to secure or do I just change the way its called?
Dale Seeley
10-Jun-22 14:20pm
View
I'm not sure it's strange Im just unsure all the steps needed so once I added the code I thought I needed and cleared up the errors in my driver code there appeared to be nothing outstanding but I missed that. Thank you I will include that
Dale Seeley
10-Jun-22 1:16am
View
Deleted
Here is the driver code I pulled from the example to create the communication port:
PFLT_PORT ServerPort;
//
// User process that connected to the port
//
PEPROCESS UserProcess;
//
// Client port for a connection to user-mode
//
PFLT_PORT ClientPort;
const PWSTR ScannerPortName = L"\\PortName";
NTSTATUS
ScannerPortConnect(
_In_ PFLT_PORT ClientPort,
_In_opt_ PVOID ServerPortCookie,
_In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext,
_In_ ULONG SizeOfContext,
_Outptr_result_maybenull_ PVOID* ConnectionCookie
);
VOID
ScannerPortDisconnect(
_In_opt_ PVOID ConnectionCookie
);
NTSTATUS
ScannerPortConnect(
_In_ PFLT_PORT ClientPort,
_In_opt_ PVOID ServerPortCookie,
_In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext,
_In_ ULONG SizeOfContext,
_Outptr_result_maybenull_ PVOID* ConnectionCookie
)
/*++
Routine Description
This is called when user-mode connects to the server port - to establish a
connection
Arguments
ClientPort - This is the client connection port that will be used to
send messages from the filter
ServerPortCookie - The context associated with this port when the
minifilter created this port.
ConnectionContext - Context from entity connecting to this port (most likely
your user mode service)
SizeofContext - Size of ConnectionContext in bytes
ConnectionCookie - Context to be passed to the port disconnect routine.
Return Value
STATUS_SUCCESS - to accept the connection
--*/
{
PAGED_CODE();
UNREFERENCED_PARAMETER(ServerPortCookie);
UNREFERENCED_PARAMETER(ConnectionContext);
UNREFERENCED_PARAMETER(SizeOfContext);
UNREFERENCED_PARAMETER(ConnectionCookie = NULL);
FLT_ASSERT(ClientPort == NULL);
FLT_ASSERT(UserProcess == NULL);
//
// Set the user process and port. In a production filter it may
// be necessary to synchronize access to such fields with port
// lifetime. For instance, while filter manager will synchronize
// FltCloseClientPort with FltSendMessage's reading of the port
// handle, synchronizing access to the UserProcess would be up to
// the filter.
//
UserProcess = PsGetCurrentProcess();
ClientPort = ClientPort;
DbgPrint("!!! scanner.sys --- connected, port=0x%p\n", ClientPort);
return STATUS_SUCCESS;
}
VOID
ScannerPortDisconnect(
_In_opt_ PVOID ConnectionCookie
)
/*++
Routine Description
This is called when the connection is torn-down. We use it to close our
handle to the connection
Arguments
ConnectionCookie - Context from the port connect routine
Return value
None
--*/
{
UNREFERENCED_PARAMETER(ConnectionCookie);
PAGED_CODE();
DbgPrint("!!! scanner.sys --- disconnected, port=0x%p\n", ClientPort);
//
// Close our handle to the connection: note, since we limited max connections to 1,
// another connect will not be allowed until we return from the disconnect routine.
//
FltCloseClientPort(FilterHandle, &ClientPort);
//
// Reset the user-process field.
//
UserProcess = NULL;
}
NTSTATUS MiniBitUnload(FLT_FILTER_UNLOAD_FLAGS Flags)
{
UNREFERENCED_PARAMETER(Flags);
KdPrint(("Driver Unload \r\n"));
FltCloseCommunicationPort(ServerPort);
FltUnregisterFilter(FilterHandle);
IoDeleteDevice(DeviceObject);
IoDeleteSymbolicLink(&SymLinkName);
return STATUS_SUCCESS;
};
And this code in my driver entry:
//
// Create a communication port.
//
RtlInitUnicodeString(&uniString, ScannerPortName);
status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
if (NT_SUCCESS(status)) {
InitializeObjectAttributes(&oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd);
status = FltCreateCommunicationPort(FilterHandle,
&ServerPort,
&oa,
NULL,
ScannerPortConnect,
ScannerPortDisconnect,
NULL,
1);
FltFreeSecurityDescriptor(sd);
if (NT_SUCCESS(status)) {
status = FltStartFiltering(FilterHandle);
if (NT_SUCCESS(status)) {
return STATUS_SUCCESS;
}
FltCloseCommunicationPort(ServerPort);
}
}
Dale Seeley
10-Jun-22 0:22am
View
Ok I am happy to report that I have created the Communication Port which I checked with WinObj64 and the port is successfully created and removed and the driver works as expected but I have run into a Problem when trying to use FilterConnectCommunicationPort from within my .NET application. I have Pinvoked FilterConnectCommunicationPort like so:
Dim OpenPortHandle As IntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(GetType(IntPtr)))
<dllimport("fltlib", setlasterror:="True)">
Public Shared Function FilterConnectCommunicationPort(<marshalas(unmanagedtype.lpwstr)> portName As String,
options As UInteger,context As IntPtr, sizeOfContext As UInteger, securityAttributes As IntPtr,portPtr As IntPtr) As Integer
End Function
and then in the start monitor section I call:
Dim OpenPortNumber = FilterConnectCommunicationPort("\\PortName", 0, IntPtr.Zero, 0, IntPtr.Zero, OpenPortHandle)
MsgBox(OpenPortNumber)
I have also checked the Name of the port and directory should be exact and seen the example in the scanner which makes the same call. The message box returns -2147024773 which is clear the connection was refused or unable to connect.
Any Ideas what might be going wrong for me?
thank you in advance!
Dale Seeley
8-Jun-22 14:13pm
View
Oh this is amazing thank you very much I really want to complete this chapter of the project and move on lol 😆. I can't wait to check this out after work.
Dale Seeley
8-Jun-22 1:21am
View
Awesome thank you for that very useful info that gets me started! Ill post again tomorrow when I have the first step complete thank you Randor.
Dale Seeley
8-Jun-22 0:17am
View
That sounds like a great plan!! at the moment I am reading up on creating the communication port in the driver. FltCbdqInitialize and FltCbdqInsertIo along with creating and receiving the communication port are callback methods?
Dale Seeley
7-Jun-22 23:06pm
View
Thank you so much for responding I do indeed need to pend i/o operations so that the driver will wait until the user allows or denies the process to launch (if this is its intended use?) but as you have stated I will need to learn this and research it, hopefully with your help in the future. Currently I have IOCTL working as you know so maybe for now I can try the Communication Port and FltSendMessage way of receiving notifications from the driver to the user mode application. Will this method also cause the driver to wait for a response or can that only be achieved by pending i/o operations?.
Dale Seeley
6-Jun-22 16:17pm
View
I have also seen someone say to use inverted call but I have no idea how that works or how it fits into a mini filter driver
Dale Seeley
6-Jun-22 16:07pm
View
Can you please let me know what is needed on the application side and driver to set up a event so that the driver will pause until the application/user makes a decision. I hope you can still help 🙏
Dale Seeley
5-Jun-22 19:17pm
View
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
bindflt 1 409800 0
WdFilter 7 328010 0
storqosflt 0 244000 0
wcifs 0 189900 0
PrjFlt 0 189800 0
CldFlt 1 180451 0
FileCrypt 0 141100 0
luafv 1 135000 0
npsvctrig 1 46000 0
Wof 5 40700 0
FileInfo 7 40500 0
The BSOD occurs when I try to load the Driver sys file using OSRLOADER
Unhandled System Threading Exception
Dale Seeley
2-Jun-22 23:16pm
View
Yes please I would greatly appricate your help Randor. I am trying to understand how the logic works for this. I have changed the driver to include the ObReferenceObjectByHandle like so:
status = ObReferenceObjectByHandle(registerEvent->hEvent,
SYNCHRONIZE | EVENT_MODIFY_STATE,
*ExEventObjectType,
Irp->RequestorMode,
¬ifyRecord->Message.Event,
NULL
);
This code is from the driver event example you suggested to me. I have tried to run that example but it BSOD my system so I am trying to understand and add it to my mini filter driver to notify my user mode application.
is this thinking correct?
application creates the event object and passes the handle to the driver via IOCTL. the driver then gets a object reference by handle and CustomTimerDPC is called to Signal KeSetEvent so waitforsingleobject in user mode is satisfied to show the notification which in my case is just a simple message box but could work for anything.
at the moment the DeviceIoControl is always returning false or I am having BSOD with error code IRQL not equal or less or thread exception not handled... basically I am trying all i can think but getting nowhere.
I am aware but not sure where and when to set apc or dispatch levels and where all this fits into the mini filter driver.
Dale Seeley
22-May-22 17:17pm
View
Hello again Randor I am finally at the point where I would like to notify my usermode application of events happening within my driver. Its no surprise that I seem to be lost when trying to use the example from the Windows driver sample as it compiles but BSOD my computer because of a unhandled threading exception. I would like to use the IRP_BASED notify approach as it says there are 2 advantages to using that approach. If you can again point me in the right direction I would like to know what each side needs to make the notification work. I know to define a global event within the driver but because I am using .NET for the application side its difficult to understand the concept and how to receive the notification and have the driver wait until it receives the response from the usermode application.
Dale Seeley
18-May-22 2:39am
View
This post is old but I came across it with limited understanding at first and can confirm this works great! the code is basically the same in pure C if anyone needs it.
ULONG PROC_TAG = 0;
UNICODE_STRING processName;
processName.Length = 0;
processName.MaximumLength = (USHORT)DoSPath.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength + 2;
processName.Buffer = ExAllocatePoolWithTag(PagedPool, processName.MaximumLength, PROC_TAG);
RtlCopyUnicodeString(&processName, &DoSPath);
RtlAppendUnicodeStringToString(&processName, &Data->Iopb->TargetFileObject->FileName);
KdPrint(("%wZ \r\n", processName));
cheers and thank you to the original solution!
Dale Seeley
15-May-22 21:51pm
View
thank you after some hair pulling I finally got the filepath correct! thank you Randor
Dale Seeley
15-May-22 19:29pm
View
Deleted
Excuse me for my ignorance please but I am not very strong yet in C coding and need to understand this better
NTSTATUS IoVolumeDeviceToDosName(
[in] PVOID VolumeDeviceObject,
[out] PUNICODE_STRING DosName
);
I am trying to supply the volumedeviceobject like so:
PFLT_FILE_NAME_INFORMATION FileNameInfo;
UNICODE_STRING DoSName;
IoVolumeDeviceToDosName(FileNameInfo->Volume.Buffer, &DoSName)
It still only gives me the volume name and not the drive letter..
here is the code:
FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(
PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext)
{
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
if ((Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection))
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };
UNICODE_STRING DoSName;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (NT_SUCCESS(status)) {
status = FltParseFileNameInformation(FileNameInfo);
if (NT_SUCCESS(status)) {
if (FileNameInfo->Name.MaximumLength < 260) {
//I will check here to determine if the process should be allowed or not to run
//Data->IoStatus.Status = STATUS_ACCESS_DENIED;
//Data->IoStatus.Information = 0;
RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
KdPrint(("Information: %ws \r\n", IoVolumeDeviceToDosName(FileNameInfo->Volume.Buffer, &DoSName)));
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
Dale Seeley
14-May-22 1:56am
View
I am noticing and maybe its a realization if correct... Are you not able to get drive letter within the pre operation and only in the post operation? because its not actually loaded yet? if that is the case how can I stop this in the file layer before its loaded into memory and still determine the drive or dos path?
Dale Seeley
14-May-22 1:15am
View
Getting the dosName would be preferred
Dale Seeley
14-May-22 0:31am
View
Currently I am using fltparsefilenameinformation but it still only gives me the path like so:
Information: \Device\HarddiskVolume6\Windows\System32\wbem\wmiutils.dll
Where I would like to change is \Device\HarddiskVolume6\ to display a Drive Letter Instead.
Dale Seeley
12-May-22 2:12am
View
My question now is... Communication with my application, can you still use DeviceIOControl or is there a better method? Also the file paths come up like this:
Information: \Device\HarddiskVolume6\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2203.10.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe
is there a way to get the drive letter to form a proper path?
Dale Seeley
12-May-22 1:23am
View
Deleted
my error is:
Severity Code Description Project File Line Suppression State
Warning C4113 'FLT_POSTOP_CALLBACK_STATUS (__cdecl *)(PFLT_CALLBACK_DATA,PCFLT_RELATED_OBJECTS,PVOID *)' differs in parameter lists from 'PFLT_POST_OPERATION_CALLBACK' Mini_Bit_Driver C:\Users\Cobal\OneDrive\Desktop\Mini-Bit\Mini_Bit_Driver\Mini_Bit_Driver.c 10
and MSDN says:
A function pointer is assigned to another function pointer, but the formal parameter lists of the functions do not agree. The assignment is compiled without modification.
I am lost at this point :(
Dale Seeley
12-May-22 1:20am
View
Hello Again Randor you suggested I keep researching, learning and experimenting so I am doing just that and making progress in my minifilter driver. here is my code so far:
#include <fltkernel.h>
#include <dontuse.h>
PFLT_FILTER FilterHandle = NULL;
NTSTATUS MiniBitUnload(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);
FLT_POSTOP_CALLBACK_STATUS MiniDriverPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, MiniDriverPreOperation, MiniDriverPostOperation},
{IRP_MJ_OPERATION_END}
};
const FLT_REGISTRATION FilterRegistration = {
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
Callbacks,
MiniBitUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
NTSTATUS MiniBitUnload(FLT_FILTER_UNLOAD_FLAGS Flags) {
KdPrint(("Driver Unload \r\n"));
FltUnregisterFilter(FilterHandle);
return STATUS_SUCCESS;
};
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath) {
NTSTATUS status;
status = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle);
if (NT_SUCCESS(status)) {
status = FltStartFiltering(FilterHandle);
if (!NT_SUCCESS(status)){
FltUnregisterFilter(FilterHandle);
}
}
}
FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext) {
if ((Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection))
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (NT_SUCCESS(status)) {
status = FltParseFileNameInformation(FileNameInfo);
if (NT_SUCCESS(status)) {
if (FileNameInfo->Name.MaximumLength < 260) {
// I will check here to determine if the process should be allowed or not to run
//Data->IoStatus.Status = STATUS_ACCESS_DENIED;
//Data->IoStatus.Information = 0;
RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
KdPrint(("Information: %ws \r\n", Name));
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS MiniDriverPostOperation(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext){
KdPrint(("Post Create Is Running \r\n"));
return FLT_POSTOP_FINISHED_PROCESSING;
}
This is a
Dale Seeley
11-May-22 18:11pm
View
No just a friendly person like yourself who decided to help
Dale Seeley
11-May-22 0:42am
View
awesome I will be creating a minifilter driver then to deal with process notifications and blocking. I will look at the link you have provided to try and learn how the events work and how to signal or notify my usermode application and send a response back to the driver. I hope to put this part of the project to bed soon as its quite in depth and has already taken me so long to understand lol. just to clarify I can define a event globally and then set that event within the callback to have the callback wait for a response as to block or allow?
Dale Seeley
11-May-22 0:38am
View
Thank you again for the quick response and time taken to help me out in my driver adventure. I agree with you that a minifilter driver would be best also now that I research it and take your advise but will my current code be sufficient or does my current code allow the process to load into memory?
Dale Seeley
11-May-22 0:01am
View
I found this code but its unclear where its called in the driver and if its to be used within a minifilter or Kernel driver
if( ( Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE ) && ( Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection ) )
{
// this is a process execution which is about to start, determine here if the process is allowed to run, if not:
Data->IoStatus.Status = STATUS_ACCESS_DENIED; <-- this will deny the process execution ^_^
Data->IoStatus.Information = 0;
}
Dale Seeley
10-May-22 23:41pm
View
Should I be using a minifilter driver or Kernel driver or will it make much difference?
Dale Seeley
10-May-22 23:38pm
View
Actually I can see now that within my PsSetCreateProcessNotifyRoutineEx I do have PS_CREATE_NOTIFY_INFO and going to that definition shows the exact structure that you have posted here. Is this the file layer that you are speaking of? here is the code I have in that area:
void OnProcessNotify(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
UNREFERENCED_PARAMETER(Process);
if (CreateInfo) {
ProcId = HandleToUlong(ProcessId);
RtlCopyUnicodeString(&ImageP, CreateInfo->ImageFileName);
//DbgPrint("%d %wZ", ProcId, ImageP);
if (!CreateInfo->IsSubsystemProcess) {
CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
}
}
}
I was first wondering how this structure was called, a bit embarrassing seeing this now sorry Its painfully obvious I am not strong yet in C coding. So that brings me back to the MajorFunction IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION as I understand this is the callback that is called when file operations occur:
NTSTATUS FsRtlRegisterFileSystemFilterCallbacks(
[in] _DRIVER_OBJECT *FilterDriverObject,
[in] PFS_FILTER_CALLBACKS Callbacks
);
So I pass in The DriverObject and PFS_FILTER_CALLBACKS which I found to be:
typedef struct _FS_FILTER_CALLBACKS {
ULONG SizeOfFsFilterCallbacks;
ULONG Reserved;
PFS_FILTER_CALLBACK PreAcquireForSectionSynchronization;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForSectionSynchronization;
PFS_FILTER_CALLBACK PreReleaseForSectionSynchronization;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForSectionSynchronization;
PFS_FILTER_CALLBACK PreAcquireForCcFlush;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForCcFlush;
PFS_FILTER_CALLBACK PreReleaseForCcFlush;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForCcFlush;
PFS_FILTER_CALLBACK PreAcquireForModifiedPageWriter;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForModifiedPageWriter;
PFS_FILTER_CALLBACK PreReleaseForModifiedPageWriter;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForModifiedPageWriter;
PFS_FILTER_CALLBACK PreQueryOpen;
PFS_FILTER_COMPLETION_CALLBACK PostQueryOpen;
} FS_FILTER_CALLBACKS, *PFS_FILTER_CALLBACKS;
How is this used to get notified at the file layer which you describe is better because it happens before the process or file is loaded into memory.
Dale Seeley
10-May-22 22:40pm
View
Thank you Randor for bringing this to my attention I am not sure how I overlooked this with all the hours of research I've been doing but reading the PS_CREATE_NOTIFY_INFO link you have supplied is a structure and not a callback? how is this implemented into the driver if ProcessCreationNotifyEx is not the way and by that time the process is already loaded into memory? Will replacing my major function DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl; to IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION make it possible to receive the callbacks at the file layer level? and to my original question how would I go about setting an event within all this and wait for response from my user mode application. I have heard inverted calls might be the answer but if there is a better way I am all ears.
Dale Seeley
6-May-22 1:27am
View
SUCCESS!!! removing both if statements seemed to do the trick!!!! SO VERY HAPPY! Thank you Thank you Thank you
Dale Seeley
6-May-22 1:14am
View
Ok I must be almost there.... ALMOST!! but still no cigar
Everything you have described is changed in the code, both in the driver and in the application but once again I have hit a few snags.
This is my driver switch statement as of now
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
ULONG returnLength = 0;
PVOID* buffer = Irp->AssociatedIrp.SystemBuffer;
ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
{
case RECEIVE_FROM_USER:
break;
case SEND_PID_TO_USER:
if (outLength == sizeof(ULONG))
{
*buffer = ProcId;
returnLength = sizeof(*buffer);
status = STATUS_SUCCESS;
}
break;
case SEND_PATH_TO_USER:
if (outLength <= (ImageP.Length / 2) - 1)
{
RtlFillMemory(buffer, outLength, 0);
RtlCopyBytes(buffer, ImageP.Buffer, ImageP.Length * 2);
status = STATUS_SUCCESS;
returnLength = ImageP.Length * 2;
}
break;
}
I get a warning in RtlCopyBytes C26451 Arithmetic overflow: Using operator "*" on a 4 byte value and then casting the result to 8 byte value. Cast the value to the wider type before calling operator "*" to avoid overflow (io2)
4 byte value is the return length in bytes of the UNICODE_STRING? What types in C++ are wider to cast to and how? is there a WUNICODE_STRING? of some kind?
OMG!!! SUCCESS!! I am able to see the UNICODE_STRING Process Path in my application but only if I remove the "if" statement... if (outLength <= (ImageP.Length /2) -1) from SEND_PATH_TO_USER but then the SEND_PID_TO_USER CTL fails in my application and I only Receive the Process path and not the PID. Again if I remove the "if" statement from SEND_PID_TO_USER I get only the PID and not the process Path. It appears to be an issue with the outLength or using outLength where I should not be using it Can you please let me know what you think is wrong? I am so so close and owe it to you thank you for being so patient and I look forward to seeing your answer. Might be a simple question to help me solve this issue but what does nOutBufferSize refer to? sizeof(buffer)? or sizeof/Length of UNICODE_STRING or something else?
Dale Seeley
4-May-22 22:12pm
View
Thank you so much the way you describe everything is amazing and the level of detail you go to describe what's happening so very much apricated. True Life Saver thank you again!
Dale Seeley
4-May-22 22:11pm
View
Thank you very much for this!
Dale Seeley
4-May-22 2:18am
View
Deleted
I Have tried to cover all that you have suggested this evening and I am partly successful. I have fixed and properly initialized my UNICODE_STRING ProcPath and have changed the DeviceIoControl in my application from Ulong to intptr I have added the new IOCTL for the Process Path In the Driver And Application. But in the driver "(NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)"
I have
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
ULONG returnLength = 0;
PVOID* buffer = Irp->AssociatedIrp.SystemBuffer;
ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
{
case RECEIVE_FROM_USER:
break;
case SEND_PID_TO_USER:
*buffer = ProcId;
returnLength = sizeof(*buffer);
status = STATUS_SUCCESS;
break;
case SEND_PATH_TO_USER:
*buffer = &ImageP;
returnLength = sizeof(*buffer);
status = STATUS_SUCCESS;
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = returnLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
Is this correct?
Also I am having some issues to understand how to do your suggestion:
Your ulong VB code then needs to allocate an unmanaged buffer, call the driver using the pointer to the buffer as the output parameter, then retrieve the ulong value from the pointer. I don't speak VB, so I don't know how to do that, something like C#'s Marshall.AllocHGlobal with a size of 8 and then Marshall.ReadInt64 to get the value.
are you talking about allocating Proc_Id ulong as a unmanaged buffer and calling the driver with DeviceIoControl? plain intptr does not accept Proc_Id() ulong as a list/container/buffer
Can you give some example to Marshal.AllocHGlobal(8) in C#? I seem to only get back long numbers when using Marshal.ReadInt64 and I am also confused when it comes to calling both CTL to receive PID and PATH
at the moment this is what the DeviceIoControl code looks like:
Dim Proc_Info As ULong
Dim Bytes_IO As Integer = 0
Do While True
Dim CurrentID As ULong
If DeviceIoControl(hFile, IO_GET_CLIENT_PROCID, Nothing, 0, Proc_Info, Len(Proc_Info), Bytes_IO, Nothing) Then
Dim ptr As IntPtr
ptr = Marshal.AllocHGlobal(8)
MsgBox(Marshal.ReadInt64(ptr))
Marshal.FreeHGlobal(ptr)
' If Not CurrentID = Proc_Info Then
' CurrentID = Proc_Info
' Invoke(Sub() RichTextBox1.AppendText(Proc_Info.ToString))
' Invoke(Sub() RichTextBox1.AppendText(vbCrLf))
' End If
End If
Loop
I have IO_GET_CLIENT_PROCID but what is the best method to call the other CTL? do I just copy and paste the If DeviceIoControl(hFile, IO_GET_CLIENT_PROCID,Nothing,0,Proc_Info,Len(Proc_Info),Bytes_IO,Nothing) with
DeviceIoControl(hFile, IO_GET_CLIENT_PATH,Nothing,0,Proc_Info,Len(Proc_Info),Bytes_IO,Nothing) and go from there?
Show More