0

When I used C# i was only able to access user-mode registry accesses.

Is it very difficult to access kernel-mode registry accesses using C++?

I recall reading somewhere I may have to create a dummy windows driver or something?

EDIT: Basically as a hobby project I wish to create a simple registry monitor. However, I do want to catch kernel mode (as well as user mode) registry accesses..... last time I did this, using C# I could not access the kernel mode activity.

user997112
  • 29,025
  • 43
  • 182
  • 361
  • 1
    Whatever are you TALKING about? Could you explain a bit further what you're trying to accomplish? Or give an example? – paulsm4 Oct 15 '11 at 18:08
  • This might help you out: http://stackoverflow.com/questions/508614/create-a-new-windows-registry-key-using-c – CassOnMars Oct 15 '11 at 18:14
  • What is "kernel-mode registry access" and how does one access it? – avakar Oct 15 '11 at 18:17
  • There are two levels of registry accesses, kernel mode and user mode. – user997112 Oct 15 '11 at 18:27
  • @d_r_w i searched around on stackoverflow for registry questions, but i'm a little unsure why you pointed me to that particular previous question? I guess the emphasis of my question is hooking the kernel mode registry accesses? – user997112 Oct 15 '11 at 18:28
  • 1
    There's some more info in this question then: http://stackoverflow.com/questions/5442450/monitor-kernel-registry-changes – CassOnMars Oct 15 '11 at 18:32
  • @user997112, with your edit, the question makes more sense. Take a look at http://technet.microsoft.com/en-us/sysinternals/bb896645. – avakar Oct 15 '11 at 18:33
  • You need a kernel-mode driver. Currently, you cannot write a kernel-mode driver in C#. – Raymond Chen Oct 16 '11 at 05:10

1 Answers1

3

There are two ways to achieve this:

  • Hook the relevant functions in the kernel - the traditional way - which requires a C/Kernel Driver. This is possible on x86 Windows, but on x64 Kernel Patch Protection will detect these modifications and shut down the system (with a bluescreen).

  • Build a registry filter driver - this is the now encouraged way to attack this problem and is the way process monitor works. You can also build file system filter drivers this way. Essentially, you simply need to pass the information back to userland which boils down to:

    IoRegisterDevice(...somewhere in \Devices\YourDriverName...)
IoCreateSymbolicLink(\\DosDevices\Name -> \Devices\YourDriverName)

    then a C, C++, C# application should be able to open the file \\.\YourDriverName and DeviceIoControl to it and receive responses.

It is possible to use C++ to write kernel drivers, but see this before you embark on doing so. To be clearer, you need to be really careful about memory in kernel mode (paged, nonpaged) and you're not going to have access to much of the standard library.

As an aside, you should be aware that:

  • Not all registry hives are accessible to kernel mode drivers, depending on context.
  • The paths are not common. So the kernel accesses \Registry\System whereas userland accesses HKLM.