麦洛克菲内核开发第七课 注册表callback 和重定向,麦洛克菲 www.mallocfree.com,程君,麦洛克菲www.mallocfree.com,Callback提纲,Callback 相关函数 Callback 原理 Callback 实现功能,注册表重定向提纲,注册表的构成 注册表调用,Callback 相关函数,NTSTATUS CmRegisterCallback( IN PEX_CALLBACK_FUNCTION Function, IN PVOID Context, OUT PLARGE_INTEGER Cookie / 时间 ); NTSTATUS CmRegisterCallbackEx( IN PEX_CALLBACK_FUNCTION Function, IN PCUNICODE_STRING Altitude, IN PVOID Driver, IN PVOID Context, OUT PLARGE_INTEGER Cookie, PVOID Reserved ); Vista 以后使用,支持高度NTSTATUS CmUnRegisterCallback( IN LARGE_INTEGER Cookie );,Callback 相关函数,CmSetCallbackObjectContext( IN OUT PVOID Object, IN PLARGE_INTEGER Cookie, IN PVOID NewContext, OUT OPTIONAL PVOID *OldContext );主要用来在一个对象上设置相关的数据结构NTSTATUS CmCallbackGetKeyObjectID( IN PLARGE_INTEGER Cookie, IN PVOID Object, OUT OPTIONAL PULONG_PTR ObjectID, OUT OPTIONAL PCUNICODE_STRING *ObjectName); 主要用来在vista以后得到key 的名字PVOID CmGetBoundTransaction( in PLARGE_INTEGER Cookie, in PVOID Object ); VOID CmGetCallbackVersion( OUT OPTIONAL PULONG Major, OUT OPTIONAL PULONG Minor );,Callback 相关函数,EX_CALLBACK_FUNCTION RegistryCallback; NTSTATUS RegistryCallback( _in PVOID CallbackContext, _in_opt PVOID Argument1, / / REG_NOTIFY_CLASS _in_opt PVOID Argument2 / KEY_INFORMATION ) switch( (REG_NOTIFY_CLASS) Argument1)case RegNtPreDeleteKey :return HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION) Argument2);case RegNtPreSetValueKey:return HOOK_PreNtSetValueKey(PREG_SET_VALUE_KEY_INFORMATION) Argument2);case RegNtPreDeleteValueKey:return HOOK_PreNtDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION) Argument2);case RegNtPreRenameKey:return HOOK_PreNtRenameKey(PREG_RENAME_KEY_INFORMATION) Argument2);case RegNtPreCreateKeyEx:return HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2);case RegNtPreCreateKeyEx: / pre 操作return HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2);case RegNtPostCreateKeyEx : / post 操作return HOOK_PostNtCreateKeyEx(PRGG_POST_OPERATION_INFORMATION ) Argument2);,Callback 相关函数,Pre 操作 REG_XXX_KEY_INFORMATION 根据调用的各个不同REG_NOTIFY_CLASS 来决定 POST 操作 typedef struct _REG_POST_OPERATION_INFORMATION PVOID Object; / pre 操作后产生的对象 NTSTATUS Status; / pre 完成后将要返回给系统的状态PVOID PreInformation; / pre 的类信息 NTSTATUS ReturnStatus; / 如果要作修改,将要返回的状态 PVOID CallContext; / PVOID ObjectContext; / 可以pre 设置带到post里面来 PVOID Reserved; REG_POST_OPERATION_INFORMATION,*PREG_POST_OPERATION_INFORMATION;,整体框架,NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) NTSTATUS ntStatus;ntStatus = CmRegisterCallback(MyRegistryCallback, NULL, ,NTSTATUS RegistryCallback( _in PVOID CallbackContext, _in_opt PVOID Argument1, / / REG_NOTIFY_CLASS _in_opt PVOID Argument2 / KEY_INFORMATION ) switch( (REG_NOTIFY_CLASS) Argument1) case RegNtPreDeleteKey : return HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION) Argument2);case RegNtPreRenameKey: return HOOK_PreNtRenameKey(PREG_RENAME_KEY_INFORMATION) Argument2);case RegNtPreCreateKeyEx: / pre 操作return HOOK_PreNtCreateKeyEx(PREG_CREATE_KEY_INFORMATION) Argument2);case RegNtPostCreateKeyEx : / post 操作 return HOOK_PostNtCreateKeyEx(PRGG_POST_OPERATION_INFORMATION ) ,NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data) NTSTATUS status = 0;PUNICODE_STRING keyName;UNICODE_STRING uTarget;return STATUS_SUCCESS; ,Callback 实现的功能,Monitor 主要用在系统工具上,procmon,regmon Block 防御上，保护上等等 Modify Sandbox,虚拟化等等,Callback 实现的功能,MonitorRegistryCallback routine returns STATUS_SUCCESS BlockRegistryCallback routine NT_SUCCESS(status) equals FALSE, 这时候直接返回状态status 给系统调用,如果注册了post 操作的话,post 操作将不会执行,Callback 实现的功能,Modify 1. 修改REG_xxx_KEY_INFORMATION 结构里面的然后 Callback 函数返回STATUS_SUCCESS 2. 修改REG_POST_OPERATION_INFORMATION 结构里的ReturnStatus,然后Callback 函数返回STATUS_CALLBACK_BYPASS,Callback 设计核心思想,Window 操作系统的设计核心消息分发：应用层分层：从应用到内核回调：也相当于分层，其实回调应该是设计的一种接口形式,Callback 设计核心分层思想,Callback 设计核心思想,ntOpenKey() if(isCallback()return regcalllist-preOpen();if(isCallback()return regcalllist-postOpen(); ,1.在注册的时候把要注册的函数放到全局链表里2.在调用的时候，先判断是否注册，如果注册，调用函数,Callback 原理,NTSTATUSCmRegisterCallback(_in PEX_CALLBACK_FUNCTION Function, _in_opt PVOID Context,_out PLARGE_INTEGER Cookie)PEX_CALLBACK_ROUTINE_BLOCK RoutineBlock;ULONG i;PCM_CALLBACK_CONTEXT_BLOCK CmCallbackContext;PAGED_CODE();CmCallbackContext = (PCM_CALLBACK_CONTEXT_BLOCK)ExAllocatePoolWithTag (PagedPool, sizeof (CM_CALLBACK_CONTEXT_BLOCK), bcMC);if( CmCallbackContext = NULL ) return STATUS_INSUFFICIENT_RESOURCES;RoutineBlock = ExAllocateCallBack (Function,CmCallbackContext);if( RoutineBlock = NULL ) ExFreePool(CmCallbackContext);return STATUS_INSUFFICIENT_RESOURCES; / init the contextKeQuerySystemTime(,Callback 原理,