Intercepting and blocking registry access

Hi. I need a way to hook registry functions such as ZwQueryKey, and make it
return STATUS_ACCESS_DENIED depending on some condition. At this point I have
a half-working driver that hooks the SSDT table.
The hook function calls
PrevQueryKey(hKey, KeyNameInformation, NULL, 0, &length) and
PrevQueryKey(hKey, KeyNameInformation, info, length, &length)
to get the key name and then proceeds to call PrevQueryKey with the user's
parameters, if the condition based on the key name was satisfied, else
STATUS_ACCESS_DENIED is returned.
I'm getting an error code 0xc0000005 (access voilation) on the first
PrevQueryKey call. If I remove the 2 first calls and the condition then all
is fine. Can you explain me how I can get the keyName that I need?

> Hi. I need a way to hook registry functions such as ZwQueryKey, and make it
> return STATUS_ACCESS_DENIED depending on some condition. At this point I have
> a half-working driver that hooks the SSDT table.

CmRegisterCallbacks is the way, not hooking.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com

"Denis Martinez" <Denis > wrote in message
news:812CF223-3D5A-4392-B21C-...
> Hi. I need a way to hook registry functions such as ZwQueryKey, and make
> it
> return STATUS_ACCESS_DENIED depending on some condition. At this point I
> have
> a half-working driver that hooks the SSDT table.
> The hook function calls
> c(hKey, KeyNameInformation, NULL, 0, &length) and
> PrevQueryKey(hKey, KeyNameInformation, info, length, &length)
> to get the key name and then proceeds to call PrevQueryKey with the user's
> parameters, if the condition based on the key name was satisfied, else
> STATUS_ACCESS_DENIED is returned.
> I'm getting an error code 0xc0000005 (access voilation) on the first
> PrevQueryKey call. If I remove the 2 first calls and the condition then
> all
> is fine. Can you explain me how I can get the keyName that I need?

This should work, if you it correctly.
Also, be careful of passing kernel handles and buffers
to the usermode syscall handler (your PrevQueryKey ):
it will fail if you pass it a kernel side pointer.
Hooking is hard.

Thanks for your answers, I have some other questions.
Indeed I passed pointers to kernel memory to my Zw function, so I'm
replacing these pointers with memory zones allocated by
ZwAllocateVirtualMemory.

* I don't see kernel-mode functions to access virtual memory. I suppose the
allocated pages don't have to be aligned in memory, so direct access is
impossible. How can I do it ?
* I didn't know about CmRegisterCallback so I'll look at that, thanks.

"Maxim S. Shatskih" wrote:

> > Hi. I need a way to hook registry functions such as ZwQueryKey, and make it
> > return STATUS_ACCESS_DENIED depending on some condition. At this point I have
> > a half-working driver that hooks the SSDT table.
>
> CmRegisterCallbacks is the way, not hooking.
>
> --
> Maxim S. Shatskih
> Windows DDK MVP
>
> http://www.storagecraft.com
>
> .
>

Ummm... why?

Anyone that is motivated enough to write a driver to call ZwQueryKey to get around whatever access
protections are already on the key will just undo whatever you do. There's no way to secure the OS
against the OS, and like it or not, kernel mode drivers are part of the OS.

Just set the permissions on the key to give no one access except perhaps for some account you can
create that only you have the credentials for. It won't stop a determined hacker, but *nothing will*
at this level.

On 6/10/2010 2:22 AM, Denis Martinez wrote:
> Hi. I need a way to hook registry functions such as ZwQueryKey, and make it
> return STATUS_ACCESS_DENIED depending on some condition. At this point I have
> a half-working driver that hooks the SSDT table.
> The hook function calls
> PrevQueryKey(hKey, KeyNameInformation, NULL, 0,&length) and
> PrevQueryKey(hKey, KeyNameInformation, info, length,&length)
> to get the key name and then proceeds to call PrevQueryKey with the user's
> parameters, if the condition based on the key name was satisfied, else
> STATUS_ACCESS_DENIED is returned.
> I'm getting an error code 0xc0000005 (access voilation) on the first
> PrevQueryKey call. If I remove the 2 first calls and the condition then all
> is fine. Can you explain me how I can get the keyName that I need?


--
Ray