Hello,
I’m writing a security software WDM driver, which uses the following callback techniques in order to detect when a process/thread is started (this makes the driver a process startup driver). Also, the driver must be started as soon as possible at boot time, which makes it a boot driver.
- PsSetCreateProcessNotifyRoutine
- PsSetCreateThreadNotifyRoutine
Afterwards, I’m basically determining what the process image name is and some other characteristics in order to determine if I’m going to let the process run or terminate the process.
However, I’m interested in what kind of the driver this actually is. Basically I’m interested in what to specify as the Class/ClassGuid in INF file. I need the INF file in order to install the driver on the machine (I want to use the INF file and don’t want to use any other way, like copying the driver to system32/drivers manually):
Class = “ProcessMon”
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Therefore, I’ve been through the documentation and cannot decide what type of driver this actually is. On the higher-level ,the WDM drivers types are the following:
- Bus driver: This is not the case, since I’m not managing any bus.
- Function driver: This is not the case, since I’m not managing any software/hardware device. The only reason why I even register a device is to be able to stop the driver, otherwise I wouldn’t even need to IoCreateDevice.
- Filter driver: This is what fits the description the most, although not perfectly, since I’m not actually modifying the behavior of a device or another driver.
There are also layered drivers:
- Class drivers: Doesn’t fit.
- Miniclass drivers: Doesn’t fit.
- Port drivers: Doesn’t fit.
- Miniport drivers: Doesn’t fit.
I’m interested in the following:
- what kind of a device driver the software based driver actually is?
- What to specify as a Class/ClassGuid in the INF file?