|
Hello,
I would like to know where Windows processes execution and opening of files and programs on the computer, because I'm creating a kernel-mode execution-filter driver (basically, a driver that sits back and "spys" on every program that tries to open up on my computer, before my computer actually detects it or processes it) for security purposes, and to block it or suspend it from the settings the user choose from a GUI application that manages this centrally.
Simple Thanks and Regards,
Brandon T. H.
Been programming in Visual Basic for 4 years this point forward, and is very good at it (I can even create programs completely on code, without dragging those items from the toolbox). Programming C++ for 1 year so far and the same with C#.
Many of life's failures are people who did not realize how close they were to success when they gave up. - Thomas Edison
modified 30-Apr-12 10:27am.
|
|
|
|
|
Brandon T. H. wrote: Been programming in Visual Basic for 4 years this point forward, and is very good at it (I can even create programs completely on code, without dragging those items from the toolbox). Programming C++ for 1 year so far and the same with C#.
And you want to write a kernel file system filter driver?
Good luck!
==============================
Nothing to say.
|
|
|
|
|
Erudite_Eric wrote: Good luck!
There are driver tutroials on here, especially the firewall "Network/Ethernet Filter Driver" here, C++ and Visual Basic are fairly common in syntax, so it's not something that is completely new or very hard and complex to understand, I could look up some code blocks online and change some words around in the programming and change a network/ethernet filter driver into a execution filter driver (it is possible). But There some things to avoid or try not to make or risk and that I have converters to translate from language-to-language.
But you could be right, with the excemption that some language(s) (for example, Visual Basic or C++ CLI/CLR) does not support driver developing/creating/compiling.
Simple Thanks and Regards,
Brandon T. H.
Been programming in Visual Basic for 4 years this point forward, and is very good at it (I can even create programs completely on code, without dragging those items from the toolbox). Programming C++ for 1 year so far and the same with C#.
Many of life's failures are people who did not realize how close they were to success when they gave up. - Thomas Edison
|
|
|
|
|
Brandon T. H. wrote: I could look up some code blocks online and change some words around in the programming and change a network/ethernet filter driver into a execution filter driver
I think Eric's comment was indicating that there is far more to it than that. Changing a few words in one type of driver will not give you a different type. First you need a good understanding of how specific filters work and their interaction with the system. Then you need to understand the specifics of the area that you are trying to filter. As you say there are tutorials, but it takes more than a few hours with online tutorials to be able to understand kernel level programming fully.
Binding 100,000 items to a list box can be just silly regardless of what pattern you are following. Jeremy Likness
|
|
|
|
|
1). Drivers are written in C. C++ is not supported by Microsoft in the kernel. Yes you can use it, but be very careful, so it is best to use C. And you are going to have to use iy in its very raw form. Lots of pointers, pointers to pointers, casting pointers to ints, and so on.
2) Brandon T. H. wrote: Network/Ethernet Filter Driver" Thats an NDIS model driver. It isnt WDM, and isnt anything like a file system filter. (Yep. I have written plenty of both).
3) Brandon T. H. wrote: so it's not something that is completely new or very hard and complex to understand, I so wish I could watch your first efforts... Drivers ARE very complex and hard to understand.
Brandon T. H. wrote: I could look up some code blocks online and change some words around in the programming and change a network/ethernet filter driver into a execution filter driver (it is possible).
As stated that isnt possible, totally different model, diferent API, different everything.
Brandon T. H. wrote: I have converters to translate from language-to-language
This isnt going to work.
You need to be very very proficient in C and understand the kernel/OS/HW in detail in the particular realm you will be working in.
FSF drivers are some of the hardest to write too, so you are jumping in at the deep end. NDIS drivers are actually fairly simple (in comparison).
OK, think of this, kernel code is about 20 times more complex than user mode code. Thats the kind of mind numbing nastiness you will be working with.
You also need to use windbg to debug, so you need to be very proficient in its use.
Oh, and assembler. You are going to be debugging alot in assembler as you trace into system calls to see why your code is going wrong.
Ten there is the install. This can be a major nightmare in its own right and can have fundamental impacts on the way your driver works, or not.
==============================
Nothing to say.
|
|
|
|
|
Too bad I can't vote this one a 10+.
I haven't done any driver development in the 30+ years I've been writing code and looking at that stuff still my head explode!
|
|
|
|
|
yeah, it is brain bendingly complicated.
==============================
Nothing to say.
|
|
|
|
|
Brandon T. H. wrote: C++ and Visual Basic are fairly common in syntax
Not even close. Yes, both look like "code", and both have markings at the beginning and the end of a method, but that's where the similarities end.
Bastard Programmer from Hell
|
|
|
|
|
Brandon T. H. wrote: C++ and Visual Basic are fairly common in syntax
Heresy! Blasphemy!
At least artificial intelligence already is superior to natural stupidity
|
|
|
|
|
Hello, every body how are you?
Can anyone help me to explain what basically a MAINFRAME testing is...?. I am doing functionl testing using Mainframe environment that includes ISPF Menu, CICS and different Batch Jobs.I am geting lots of Interview calls for a "Mainframe Tester".
Please provide information about the Mainfrme Testers Profile and what type of questions usually asked in the interview.
Regards,
Rajib Khan
|
|
|
|
|
If you don't know what it is, then you probably shouldn't even apply... that's just just my opinion.
|
|
|
|
|
Rakib khan009 wrote: I am doing functionl testing using Mainframe environment
So you are already doing it; what do you not understand about your own job?
Binding 100,000 items to a list box can be just silly regardless of what pattern you are following. Jeremy Likness
|
|
|
|
|
|
|
please give me a Link for windows xp file system Driver Programming document or windows xp file system Driver programming user guide , thanks
|
|
|
|
|
|
I'm a fresh man in developing Microsoft Windows' Driver ,I tried to test a little demo on my PC, My environment of testing is :Win7(32bit)+Visual Studio 2010+WDK7600, to my disappointment ,No response in my DbgView's text area.(I have been test another little print demo in my environment ,and succeed)
the successful demo is:
#include "ntddk.h"
VOID DriverUnload(PDRIVER_OBJECT driver) {
DbgPrint("first: ===Our driver is unloading…"); }
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT driver,
IN PUNICODE_STRING reg_path
) {
DbgPrint("first:===Hello, my salary!");
driver->DriverUnload = DriverUnload; return STATUS_SUCCESS;
}
And the failed demo is:
#ifndef _DRMAIN_H_
#define _DRMAIN_H_
NTSTATUS DriverEntry(
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath
);
NTSTATUS MyDriverUnload(PDRIVER_OBJECT DriverObject);
FLT_PREOP_CALLBACK_STATUS DriverPreCreate(
PFLT_CALLBACK_DATA data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID *CompletionContext
);
FLT_POSTOP_CALLBACK_STATUS DriverPostCreate(
PFLT_CALLBACK_DATA data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID *CompletionContext,
FLT_POST_OPERATION_FLAGS flags
);
#endif //_DRMAIN_H_
#include"Fltkernel.h"
#include"drMain.h"
CONST FLT_OPERATION_REGISTRATION CallBacks[]={
{
IRP_MJ_CREATE,
0,
(PFLT_PRE_OPERATION_CALLBACK)DriverPreCreate,
(PFLT_POST_OPERATION_CALLBACK)DriverPostCreate
},
{ IRP_MJ_OPERATION_END}
};
CONST FLT_REGISTRATION FilterRegistration ={
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
CallBacks,
(PFLT_FILTER_UNLOAD_CALLBACK)MyDriverUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
NTSTATUS status;
UNICODE_STRING string;
PFLT_FILTER theFilter;
NTSTATUS DriverEntry(
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("FIRST==driver begin!");
status= FltRegisterFilter(
DriverObject,
&FilterRegistration,
&theFilter
);
DbgPrint("FIRST==FltRegisterFilter begin!");
ASSERT(status);
if (NT_SUCCESS( status )) {
DbgPrint("FIRST==SomeThing wrong happend before FltStartFiltering!");
status=FltStartFiltering(theFilter);
if(!NT_SUCCESS( status ))
{
DbgPrint("FIRST==SomeThing wrong happend after FltStartFiltering!");
FltUnregisterFilter(theFilter);
}
}
return status;
}
NTSTATUS MyDriverUnload(PDRIVER_OBJECT DriverObject)
{
PAGED_CODE();
UNREFERENCED_PARAMETER(DriverObject);
FltUnregisterFilter(theFilter);
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS DriverPreCreate(
PFLT_CALLBACK_DATA data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID *CompletionContext
)
{
DbgPrint("FIRST==DriverPreCreate dealing!");
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS DriverPostCreate(
PFLT_CALLBACK_DATA data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID *CompletionContext,
FLT_POST_OPERATION_FLAGS flags
)
{
DbgPrint("FIRST==DriverPostCreate dealing!");
return FLT_POSTOP_FINISHED_PROCESSING;
}
I can compile, link and install it successfully, but I can't start my drMain.sys.
I think I must fogot something when codeing it.
Thanks very much!
|
|
|
|
|
daotian wrote: The system could not find the specified file.
This is your clue, either the sys file or an associated file is not in the location that Windows expects.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
Yeah, install error.
==============================
Nothing to say.
|
|
|
|
|
F*** you one voter. Hope your hard drive crashes and you memory overheats.
==============================
Nothing to say.
|
|
|
|
|
But I can install my sys file, when I just want to start it, the installer throws this error message.
|
|
|
|
|
What is is about this message that you refuse to accept? The message clearly states that a file cannot be found; you are the only person with enough information to identify which file that is, and why the system cannot find it.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
How did you install your sys file? Is the registry entry for it correct? Is it correctly registered with the system? Is it sighed? Have you got driver signing turned off? Did you run chkinf on your inf file?
In other words go back and read the DDK, use google, and find out why your driver is not loading and be appreciative of people who are trying to help you.
==============================
Nothing to say.
|
|
|
|
|
What prick gave you a 1 vote?
I mean, you gave a perfect answer and some jerk votes you down over it. Holy crap, makes you wonder why you bother helping people!
==============================
Nothing to say.
|
|
|
|
|
Erudite_Eric wrote: What prick
No shortage around here. I suspect this is often (not necessarily in this case) as a result of not giving the questioner the full solution including code. To be honest it's really not worth worrying about.
However, my thanks for your counter votes.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|