FUN: Help me write a filter driver

View previous topic View next topic Go down

What should I try and hook?

50% 50% 
[ 2 ]
0% 0% 
[ 0 ]
25% 25% 
[ 1 ]
0% 0% 
[ 0 ]
25% 25% 
[ 1 ]
 
Total Votes : 4

FUN: Help me write a filter driver

Post by Stephen2 on 22/10/2010, 07:29

OK, so I've built step 1 - a Windows 7 x64 driver that Starts and Stops.

The next step is to make it do something useful, like intercept calls to various OS functions.

Let's see how far I can get before I either say "this is too hard" or "I want to do something else"!

Help me choose which kind of filter to try and write - at first it will be a passthrough filter of course, but the goal is to write to Debug some info about the calls - file name, registry key.. whatever.



Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by ssj100 on 22/10/2010, 08:44

This is way beyond me, but I've voted "Process functions" for whatever it's worth.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: FUN: Help me write a filter driver

Post by Stephen2 on 22/10/2010, 10:19

Hey it's way beyond me too, but I program for a living so it's not entirely new.

I think I can give it a decent shake to at least see what is executing (I know there are many many methods) and write it to a debug session.

OK, I'll see if I can hook CreateProcess API function at first, then write to a debug session.

Stay tuned for my awesome ultimate software, muahaha

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by Stephen2 on 22/10/2010, 17:47

OK - quick update, I've got a driver loaded that gets called every time a process starts and stops.

I am passed the processID, am figuring out now how to get the image (exe) name from this, in kernel space.

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by Stephen2 on 22/10/2010, 18:44

Cool, so I've got the processName:

http://yfrog.com/nfv01screeniep

See the process name always appears twice. This is when it starts, and when it closes.

Next steps:

1) Figure out whether process is opening or closing

2) Pass info to User Mode (so we can click Allow/Block)

3) Cancel execution if BLOCK is pressed

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by simmikie on 23/10/2010, 14:15

good gawd! an Australian that uses his head for more than crushing beer cans. Shocked just kidding! your project sounds fun...good luck. sunny

btw, i voted network access.


Mike

Admin note Please, no personal, racist or nationalist banter on the forum. I know this was meant as a joke but it's not acceptable. Patrick

simmikie
Member
Member

Posts : 17
Join date : 2010-10-23

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by Stephen2 on 26/10/2010, 17:04

OK, so steps 1, 2 and 3 are done, see images:

Debug LOG:
http://img831.imageshack.us/i/v02debug.png/

My awesome allow/block screen:
http://img401.imageshack.us/i/v02allowblock.png/

Next steps:

1) Pass ProcessID to User mode

2) Use ProcessID in user mode to get file name

3) Use file name to get SHA1 hash

4) Add "Remember Rule" to allow/block screen

5) Build DB of permanent rules

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: FUN: Help me write a filter driver

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum