Shulou(Shulou.com)06/02 Report--

This article will explain in detail about the initialization of the driver DriverEntry. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

1. Initialization of the driver DriverEntry

Truncate the last name from the pRegistry of DriverEntry (PDRIVER_OBJECTDriverObject, UNICODE_STRING * pRegistry) to get and calculate the device name and the name of the DosDevices.

PDriverName= pRegistry- > Buffer; Len = pRegistry- > Length > > 1; pFirstName = & pDriverName [Len]; if (pFirstName = = pDriverName) {LABEL_8: if (* pFirstName! ='\\') goto LABEL_10;} else {while (* pFirstName! ='\\') {--pFirstName; if (pFirstName = pDriverName) goto LABEL_8;}} + + pFirstName

Then get the policy rules of sysmon from the pRegistry registry

Use the RtlQueryRegistryValues function to fill in 5 RTL_QUERY_REGISTRY_TABLE structures

RTL_QUERY_REGISTRY_TABLE QueryRegTable [5]; RtlInitUnicodeString (& glossy ProcessAccessNamesRulePower0); memset (QueryRegTable, 0,560u); QueryRegTable [0] .Flags = 1; QueryRegTable [0] .Name = L "Parameters"; QueryRegTable [3] .EntryContext = & ampOptionRulesv18; QueryRegTable [4] .EntryContext = & hash_alogrithms; QueryRegTable [1] .Flags = 304; QueryRegTable [1] .name = glossy NameProcessAccessNamesRams; QueryRegTable [1] .EntryContext = & glossy ProcessAccessNamesRule; QueryRegTable [1] .DefaultType = 0x7000007 QueryRegTable [1] .DefaultData = & unk_10015C34; QueryRegTable [1] .DefaultLength = 4; QueryRegTable [2] .Flags = 304; QueryRegTable [2] .Name = L "ProcessAccessMasks"; QueryRegTable [2] .EntryContext = & gpromoProcessAccessMasksRule; QueryRegTable [2] .DefaultType = 0x3000000; QueryRegTable [3] .Flags = 304; QueryRegTable [3] .Name = (PWSTR) & gfaultOptics; QueryRegTable [3] .DefaultType = 0x400000000; QueryRegTable [4] .Flags = 304; QueryRegTable [4] .Name = (PWSTR) & g_wHashingalgorithm QueryRegTable [4] .DefaultType = 0x40000000.DefaultType = 0x40000000.Buffer, QueryRegTable, 0,0); if (! g_ProcessAccessNamesRule.Buffer | | g_ProcessAccessNamesRule.Length 1) & 1

The corresponding registry keys are L "Parameters", L "ProcessAccessNames", L "ProcessAccessMasks", L "Option" and L "Hashingalgorithm" respectively.

Then get the KeyValues information of the corresponding L "Rules" under the L "Parameters" item again, here are the rules for the driver settings.

The following shows an array of some rules

At the end of the above process, we begin to determine whether the operating system supports flt.

If only IRP_MJ_CREATE, IRP_MJ_CLOSE and IRP_MJ_DEVICE_CONTROL routines are supported, miniFlt filtering will be registered later. If Flt is not supported, the old pattern Sfilter will be used.

DriverObject- > MajorFunction [IRP _ MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_CLOSE] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_CREATE] = (PDRIVER_DISPATCH) SysmonDispatchIrp; if (IsOpenPipeConnect & &! IsSupportFlt) {DriverObject- > MajorFunction [IRP _ MJ_CREATE] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [1] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > Majorfunction [IRP _ MJ_CLOSE] = (PDRIVER_DISPATCH) SysmonDispatchIrp DriverObject- > MajorFunction [IRP _ MJ_READ] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_WRITE] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_QUERY_INFORMATION] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_SET_INFORMATION] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_QUERY_EA] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > Majorfunction [IRP _ MJ_SET_EA] = (PDRIVER_DISPATCH) SysmonDispatchIrp DriverObject- > MajorFunction [IRP _ MJ_FLUSH_BUFFERS] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_QUERY_VOLUME_INFORMATION] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_SET_VOLUME_INFORMATION] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_DIRECTORY_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_FILE_SYSTEM_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp DriverObject- > MajorFunction [IRP _ MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_INTERNAL_DEVICE_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_SHUTDOWN] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_LOCK_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_CLEANUP] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > Majorfunction [IRP _ MJ_CREATE_MAILSLOT] = (PDRIVER_DISPATCH) SysmonDispatchIrp DriverObject- > MajorFunction [IRP _ MJ_QUERY_SECURITY] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_SET_SECURITY] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_POWER] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_SYSTEM_CONTROL] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > MajorFunction [IRP _ MJ_DEVICE_CHANGE] = (PDRIVER_DISPATCH) SysmonDispatchIrp; DriverObject- > Majorfunction [IRP _ MJ_QUERY_QUOTA] = (PDRIVER_DISPATCH) SysmonDispatchIrp DriverObject- > Majorfunction [IRP _ MJ_SET_QUOTA] = (PDRIVER_DISPATCH) SysmonDispatchIrp;}

Then there is the regular process, IoCreateDevice, IoCreateSymbolicLink.

Then according to whether the operating system supports FltRegisterFilter (Driver, & g_Registration, & g_pFilter)

Which minifilter is created, then look at the structure

OperationRegistrationdd IRP_MJ_CREATE DATA XREF:.data:10015014 ↓ o.rdata:10013454 dd 0.rdata:10013458 dd offset PreOperation.rdata:1001345C dd offset PostOperation.rdata:10013460 dd 0.rdata:10013464 dd IRP_MJ_CLEANUP.rdata:10013468 dd 0.rdata:1001346C dd offset PreOperation.rdata:10013470 Dd offset PostOperation.rdata:10013474 dd 0.rdata:10013478 dd IRP_MJ_SET_INFORMATION.rdata:1001347C dd 0.rdata:10013480 dd offset PreOperation.rdata:10013484 dd offset PostOperation.rdata:10013488 dd 0.rdata:1001348C dd IRP_MJ_CLOSE. Rdata:10013490 dd 0.rdata:10013494 dd offset PreOperation.rdata:10013498 dd offset PostOperation.rdata:1001349C dd 0.rdata:100134A0 dd IRP_MJ_CREATE_NAMED_PIPE.rdata:100134A4 dd 0.rdata:100134A8 dd offset PreOperation.rdata:100134AC Dd offset PostOperation.rdata:100134B0 dd 0.rdata:100134B4 dd IRP_MJ_OPERATION_END.rdata:100134B8 dd 0.rdata:100134BC dd 0.rdata:100134C0 dd 0.rdata:100134C4 dd 0

From the above, you can see that minifilter filters IRP_MJ_CREATE, IRP_MJ_CLEANUP, IRP_MJ_SET_INFORMATION, IRP_MJ_CLOSE, IRP_MJ_CREATE_NAMED_PIPE

The registration related to the file system is completed, and then some callback function routines related to processes and threads are set.

PsSetLoadImageNotifyRoutine (SysmonLoadImageNotifyRoutine); PsSetCreateThreadNotifyRoutine (PsCreateThreadNotifyRoutine); PsSetCreateProcessNotifyRoutine (PsCreateProcessNotifyRoutine, 0)

To record registry sysmon and registry CmRegisterCallback (RegisterCallback, 0, & Cookie); callback

The ob event is registered to record the events of the process open object

GroubIsRegisterCallback1; g_OperationRegistration.ObjectType = (POBJECT_TYPE *) PsProcessType; g_OperationRegistration.Operations = 1; g_OperationRegistration.PreOperation = PreProcessOperation; g_OperationRegistration.PostOperation = PostProcessOperation; GroupCallbackRegistration.OperationRegistrationRegistrationRegistrationRegistrationSome; * (_ DWORD*) & g_CallbackRegistration.Version = 0x10100; g_CallbackRegistration.RegistrationContext = 0; RtlInitUnicodeString (& grubbIsRegisterCallbackRegistration.AltitudeDirectorL "1000"); Status = g_ObRegisterCallbacks (& g_CallbackRegistration, & RegistrationHandle)

In order to get the events of the pipe, it hooks up the device L\\ Device\\ NamedPipe and creates the filter device of L\ Device\\ SysmonPipeFilter

At this point, the initialization of sysmon's DriverEntry is almost over.

2. IRP_MJ_DEVICE_CONTROL routine

Case 0x83400000:

Open the driver open flag, and get and save the handle of the current UI process

Case 0x83400004:

Ring3 requests event information and returns to the buffer of ring3

Case 0x83400008:

Load policy rules

Case 0x8340000C:

Get information about incoming processes (including TokenUser, pTokenStatics, TokenGroup, TokenSeesion)

It also gets the process pImagePathName, pCommandLine, CurrentDirectory

Get the CreateTime of the process

The event type is 4 or 1

III. Recording of document information

The PreOperation (PFLT_CALLBACK_DATA pData, PFLT_RELATED_OBJECTSFltObjects, PVOID * CompletionContext) routine of Minifilter is the main judgment logic routine, which first determines whether the path of the current FileObject is a pipeline path, and the pipeline event records the reported event directly.

Specifically judge IRP_MJ_SET_INFORMATION and IRP_MJ_CLEANUP, and report _ respectively. Note that when judging IRP_MJ_SET_INFORMATION, it only records the request that RequestorMode is 1, that is, USER_MODE, and that it is a request to set FileBasicInformation.

When the PreOperation is processed, PostOperation (PFLT_CALLBACK_DATA pData, PFLT_RELATED_OBJECTSpFltFileObj, PVOID CompletionContext, int Flags) logs or releases the context CompletionContext processed by the former. Take IRP_MJ_SET_INFORMATION as an example, PostOPerate reports the CompletionContext data of PreOperate.

IV. Record of registry information

When Sysmon initializes, it registers a registry filter, CmRegisterCallback (RegisterCallback, 0, & Cookie); the callback function is NTSTATUS__stdcall RegisterCallback (PVOID CallbackContext, PVOID Argument1, PVOIDArgument2), the parameter Argument1 is the filtered registry operation type, and sysmon filters registry operations of 0 (RegNtDeleteKey / RegNtPreDeleteKey), 4 (RegNtRenameKey\ RegNtPreRenameKey), 11 (RegNtPostCreateKey), 15 (RegNtPostDeleteKey), 16 (RegNtPostSetValueKey), 17 (RegNtPostDeleteValueKey), 19 (RegNtPostRenameKey) 27 (RegNtPostCreateKeyEx).

Fifth, process operation filtering

Sysmon registers process operation filtering, g_ObRegisterCallbacks (& g_CallbackRegistration, & RegistrationHandle)

He only records the operation type is OB_OPERATION_HANDLE_CREATE, and only records A process operating B process, An and B are not the same process, note that RtlWalkFrameChain this function is to get the thread stack of the current operation thread, KeQuerySystemTime (& pOpenInfo.CreateTime); is to get the current system time, and will report this information.

VI. Other key technical details

1. Enumeration of process modules

ZwQueryInformationProcess (ProcessHandle, ProcessBasicInformation,&ProcessInformation, 0x18u, 0) gets the information of ProcessInformation, gets the address of process PEB from PebBaseAddress= ProcessInformation.PebBaseAddress;, and gets the address of LDR in PEB structure. LDR is the structure of process loading module.

Struct _ PEB {UCHAR InheritedAddressSpace;UCHAR ReadImageFileExecOptions;UCHAR BeingDebugged;UCHAR BitField;PVOID Mutant;PVOID ImageBaseAddress;PPEB_LDR_DATA Ldr;PRTL_USER_PROCESS_PARAMETERS ProcessParameters;PVOID SubSystemData;PVOID ProcessHeap;PRTL_CRITICAL_SECTION FastPebLock;PVOID AtlThunkSListPtr;PVOID IFEOKey;ULONG CrossProcessFlags;unsigned _ _ int32 ProcessInJob: 1 unsigned _ _ int32 ProcessInitializing: 1 ULONG SystemReserved unsigned _ _ int32 ReservedBits0: 30 union {PVOID KernelCallbackTable;PVOID UserSharedInfoPtr;}; }

PPEB_LDR_DATA Ldr; this is the structure of the load module, there are three kinds of load table memory load table, load sequence table, initialization load table from which module information can be enumerated.

Struct _ PEB_LDR_DATA

{

ULONG Length

UCHAR Initialized

PVOID SsHandle

LIST_ENTRY InLoadOrderModuleList

LIST_ENTRY InMemoryOrderModuleList

LIST_ENTRY InInitializationOrderModuleList

}

two。 Acquisition of process parameters

You can see roughly as follows: first, you need to KeStackAttachProcess the space of the process, and then get the PEB address, from the PEB to the structure of ProcessParameters.

The structure of ProcessParameters is as follows:

Struct _ RTL_USER_PROCESS_PARAMETERS {ULONG MaximumLength;ULONG Length;ULONG Flags;ULONG DebugFlags;PVOID ConsoleHandle;ULONG ConsoleFlags;PVOID StandardInput;PVOID StandardOutput;PVOID StandardError;CURDIR CurrentDirectory;UNICODE_STRING DllPath;UNICODE_STRINGImagePathName;UNICODE_STRING CommandLine;PVOID Environment;ULONG StartingX;ULONG StartingY;ULONG CountX;ULONG CountY;ULONG CountCharsX;ULONG CountCharsY;ULONG FillAttribute;ULONG WindowFlags;ULONG ShowWindowFlags;UNICODE_STRING WindowTitle;UNICODE_STRING DesktopInfo;UNICODE_STRING ShellInfo;UNICODE_STRING RuntimeData;RTL_DRIVE_LETTER_CURDIRCurrentDirectores [32]; ULONG EnvironmentSize;}

You can see all kinds of information about process parameters in this structure.

3. Acquisition of information related to process Token

All are obtained through the ZwQueryInformationToken function, but using different ClassInformation classes, as defined below

Typedef enum _ TOKEN_INFORMATION_CLASS {TokenUser, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted TokenProcessTrustLevel, TokenPrivateNameSpace, TokenSingletonAttributes, TokenBnoIsolation, TokenChildProcessFlags, MaxTokenInfoClass} TOKEN_INFORMATION_CLASS, * PTOKEN_INFORMATION_CLASS

If you need to get that, you can choose which one.

This is the end of this article on "initialization of driver DriverEntry". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.