Writing a windows registry filter using C++
-
2011년 10월 15일 토요일 오후 10:30
Hi,
I wish to write a registry filter in C++ (so that I can monitor kernel level registry accesses). I found this page:http://msdn.microsoft.com/en-us/library/windows/hardware/ff558715(v=vs.85).aspx
but i cant seem to find the actual source code from the download i got here:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11800
Would someone either be able to point me to the actual source code for the RegFltr example or point me to another C++ example for writing such a driver?
Thanks
모든 응답
-
2011년 10월 15일 토요일 오후 10:44
Look under src\general\registry\regfltr note the code is C not C++. If you are an experienced developer you can use a limited set of C++ in the kernel, but for most beginners it is not a good idea.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr -
2011년 10월 15일 토요일 오후 11:37
Look under src\general\registry\regfltr note the code is C not C++. If you are an experienced developer you can use a limited set of C++ in the kernel, but for most beginners it is not a good idea.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvrThanks for that.
A general question, I am a complete beginner to "windows programming", am I wasting my time here because the code looks very complicated?
(I basically want to improve my C++ skills and I thought an interesting project would be to monitor all the registry activity occurring. I could probably do user-level registry accesses pretty quickly in C++ but being able to monitor the kernel-level registry accesses would be much better, because I am interested in high-volume real-time systems)
-
2011년 10월 16일 일요일 오전 12:34
Well the code in the sample tries to show a lot of things. It is possible to create a pretty simple driver that will get you the data on what is happening in the registry. The complexity in the sample is because they are also tracking transactions, and with providing a mechanism for passing the data up to user space for display.
As I noted earlier most kernel stuff is C or limited C++. If your primary goal is expanding your C++ knowledge I would tackle something with Windows Management Instrumentation (WMI). WMI means you need to use COM which in the Windows world of C++ is a useful skill. You could create a user space program that collects a lot of data about a computer using WMI.
If you are interested in learning to program in the windows kernel, then the registry monitoring is not a bad starting place. If you want to go that route with a simpler approach, I am willing to make suggestions.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr -
2011년 10월 16일 일요일 오전 12:46
Well the code in the sample tries to show a lot of things. It is possible to create a pretty simple driver that will get you the data on what is happening in the registry. The complexity in the sample is because they are also tracking transactions, and with providing a mechanism for passing the data up to user space for display.
As I noted earlier most kernel stuff is C or limited C++. If your primary goal is expanding your C++ knowledge I would tackle something with Windows Management Instrumentation (WMI). WMI means you need to use COM which in the Windows world of C++ is a useful skill. You could create a user space program that collects a lot of data about a computer using WMI.
If you are interested in learning to program in the windows kernel, then the registry monitoring is not a bad starting place. If you want to go that route with a simpler approach, I am willing to make suggestions.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvrDear Don,
Does WMI/COM provide an alternative method for monitoring the kernel registry activity?
Thanks
EDIT: Regardless, I am very interested in this simpler driver you mentioned- 편집됨 Tom7777777 2011년 10월 16일 일요일 오전 12:46
-
2011년 10월 16일 일요일 오전 11:08
No WMI won't track registry changes. You shoiuld try tools\tracing\<arch>\traceview under the WDK this is a tool that reads the kernels tracing. If this tool shows you enough data, then if you want your own custom version look up ETW which has samples in the SDK that show how to collect and read these trace logs.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr -
2011년 10월 16일 일요일 오후 3:21
No WMI won't track registry changes. You shoiuld try tools\tracing\<arch>\traceview under the WDK this is a tool that reads the kernels tracing. If this tool shows you enough data, then if you want your own custom version look up ETW which has samples in the SDK that show how to collect and read these trace logs.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvrHey Donald,
If I can get this driver to work then I think I will be able to still crack on and learn more about C++.
How much extra padding do you think there is in the example code? Would JUST collecting the registry information be a much smaller subset of the current example?
(I also managed to get a copy of the Mark Russinovich Regmon source code, but that is also heavilly padded with all the GUI and file monitoring parts too)
-
2011년 10월 17일 월요일 오후 12:05
Pardon me for jumping in. The source of WDK examples is not large, you can easily figure our which parts are required for access tracing only.
But usually a big part of driver code is "padding". Learning to understand code writing by others is IMHO crucial for learning c++ or any other language. Even though kernel drivers are not written in "normal" c++, and even though in usermode Microsoft's implementation of C++ is quite conservative.
Good luck,
-- pa
-
2011년 10월 19일 수요일 오후 1:18
Could someone give me some practical advice? Assume I have written the C code for the filter driver. How is this driver 'installed'? I presume its just a normal C file? Do i need to write a .dll etc? How do you tell windows to implement the new driver behaviour and not the old original behaviour (I assume you need to do something other than just coding, or the original code will also be read?)
Thanks
-
2011년 11월 21일 월요일 오후 11:18
Hello Tom7777777,
I am a complete beginner to "windows programming"? read more books about C++ and take a look at KMDF && UMDF.
Does WMI/COM provide an alternative method for monitoring the kernel registry activity? only changes. not activity. Registry Event Classes
How is this driver 'installed'? Installing a Filter Driver
I presume its just a normal C file? C || C++
Do i need to write a .dll? How to Configure Visual Studio 2008 for Compiling Drivers && use a good tool(VisualDDK)
How do you tell windows to implement the new driver behaviour and not the old original behaviour? search for examples at google for more info
Hope this Helps.
Any fool can know. The point is to understand.(Albert Einstein)- 편집됨 Ehsan Mohammadi 2011년 11월 21일 월요일 오후 11:22
-
2011년 11월 21일 월요일 오후 11:34
Do i need to write a .dll? How to Configure Visual Studio 2008 for Compiling Drivers && use a good tool(VisualDDK)
Well the methods for compiling drivers suggested are great ways to produce bugs, but not working code. The first method is a total piece of garbage (I spent time helping clients get rid of crap made that way) and the second is only useful if you use the DDKBuild option.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr -
2011년 11월 21일 월요일 오후 11:43
Hello Donald D. Burn,
Thanks for your reply,
1- How to Configure Visual Studio 2008 for compiling Drivers: I checked the connect.microsoft.com and most problems reported. if developer compile project without precompile headers option then project compile successfully.
2 - VisualDDK: VisualDDK and DDKWizard are best tools for driver developers.
If you think differ, Please tell me more about your IDEAS,
Best Regards
Any fool can know. The point is to understand.(Albert Einstein) -
2011년 11월 22일 화요일 오전 12:12
Neither of these tools is approved by Microsoft. If you have a problem and try to submit a driver with these tools for help, you will be rejected. I've been developing Windows drivers for 17 years, and every few years I run into a client who tries to use crap like this, in every case there has been bugs that disappear when the drivers are built with the approved methods.
So, if you use these techniques, I hope all your drivers are for internal use only, since you are spreading bugs to the Windows community otherwise.
Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr -
2011년 11월 23일 수요일 오후 2:49Visual Studio, 2005 through 2010, is fine for driver development as an editor, but you have to use the WinDDK compiler for building. You do that either by using a WinDDK build environment, or by using DDKBUILD in a Makefile project. Mostly I have not seen VisualDDK recommended by any that I respect on this forum ... Mark, Doron, Phil, or the folks from OSR. DdkWizard? Given that's what I think it is, I would not use it to write a driver for an electric butt wiper.
Gary G. Little NanoTelesis Systems, LLC -
2011년 11월 23일 수요일 오후 4:36
The driver development mode in VS.11 "next" is IMHO strikingly similar to what "Visual DDK" does - including the kd engine integration into the IDE. So I think that author(s) of VisualDDK at least deserve some credits.
-- pa
-
2011년 11월 23일 수요일 오후 5:24소유자what each does is similar in the result, but how each accomplishes their functionality is dramatically different.
d -- This posting is provided "AS IS" with no warranties, and confers no rights.
