Hi,
ObCallbackTest sample is for process in user-mode.
but for driver it isn’t work.
Is any sample/hint like it for driver start/stop control?
I known that ‘PsSetLoadImageNotifyRoutine’ can only monitor driver start, but it have not any control for force termination or unloading.
also i can’t use zw(load/unload)driver hooking for patch guard!
tanks for any recommendation.
Are you trying to monitor when a driver is loaded/unloaded? What is it
you are attempting to accomplish?
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@chmail.ir
To: “Windows File Systems Devs Interest List”
Sent: 10/15/2016 7:08:18 AM
Subject: [ntfsd] Driver start/stop controlling(like ObcallbackTest)
>Hi,
>ObCallbackTest sample is for process in user-mode.
>but for driver it isn’t work.
>Is any sample/hint like it for driver start/stop control?
>I known that ‘PsSetLoadImageNotifyRoutine’ can only monitor driver
>start, but it have not any control for force termination or unloading.
>also i can’t use zw(load/unload)driver hooking for patch guard!
>
>
>tanks for any recommendation.
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
> Are you trying to monitor when a driver is loaded/unloaded? What is it
you are attempting to accomplish?
Yes. but I also want to inhabit some driver to loading or unloading by other than process/driver like White List Policy.
If a driver is going to load, it is going to have to have a value in the
registry HKLM\SYSTEM\CurrentControlSet\services\XXX\Start (where XXX is the
given service) that allows it to load and start. If you want to control
this consider a registry filter that modifies the start value for the
unacceptable drivers.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@chmail.ir
Sent: Sunday, October 16, 2016 2:34 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Driver start/stop controlling(like ObcallbackTest)
> Are you trying to monitor when a driver is loaded/unloaded? What is it
you are attempting to accomplish?
Yes. but I also want to inhabit some driver to loading or unloading by other
than process/driver like White List Policy.
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>
Another way would of course be a minifilter that access checks access to
driver files and based on your policies allows certain processes to have
the RX access to the driver binary file.
This would be opposed to Don’s suggestion a more difficult approach but
with some added benefit which I am not going to mention here.
Good luck,
Gabriel
www.kasardia.com
On Sun, Oct 16, 2016 at 2:43 PM, Don Burn wrote:
> If a driver is going to load, it is going to have to have a value in the
> registry HKLM\SYSTEM\CurrentControlSet\services\XXX\Start (where XXX is
> the
> given service) that allows it to load and start. If you want to control
> this consider a registry filter that modifies the start value for the
> unacceptable drivers.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@chmail.ir
> Sent: Sunday, October 16, 2016 2:34 AM
> To: Windows File Systems Devs Interest List
> Subject: RE:[ntfsd] Driver start/stop controlling(like ObcallbackTest)
>
> > Are you trying to monitor when a driver is loaded/unloaded? What is it
> you are attempting to accomplish?
>
> Yes. but I also want to inhabit some driver to loading or unloading by
> other
> than process/driver like White List Policy.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Bercea. G.</http:></http:></http:>
Tanks for Gabriel & Don.
Now, I want to a solution for inhabit driver unloading by other process like:
sc stop XXXX
sc delete XXXX
OSRLOADER
.
.
.
Is any way?
In other way I want to have a driver that only unloading at windows power off.
Drivers are not unloaded on system shutdown. The system just sends notifications to PnP/WDM device objects and shutdown power with all drivers in memory. If you want a driver that can’t be unloaded set DriverObject->DriverUnload to NULL in DriverEnrty().
In my scenario, I want to protect another driver from unloading. Then i not have control over DriverObject->DriverUnload code.