Minifilter driver - buffer data kernel mode

David 211 Reputation points
2022-08-25T14:46:33.073+00:00

Hi everyone,

I have a minifilter kernel driver that needs to retrieve all '.exe' files being loaded by the OS. I can do that so far, however, I can only intercept the filenames when my userland service is running and connected to the driver (Communication Port).

This means: I am missing all executable names that were launched from boot time until before my own service is run, and these are the ones I would like to intercept as well.
My driver is set to 0x00000001 SERVICE_SYSTEM_START

My idea is to:

  • Put all services names (services launched before mine) in a buffer at a kernel level
  • When my service connects to my driver, then I can stop adding to the buffer and send all the data to my service for processing.

After further research, I read about several things: ExAllocatePoolMemory, Lookaside lists, not possible to use STL's vectors, not possible to use 'new'....
I just need to store these filenames in an array of WCHAR.

I would greatly appreciate some help on that! Thank you.

C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
2,756 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,288 questions