Concerning drivers...
-
Hello! I have a few questions concerning drivers. I don't know if this is the right board to post this kind of problems but here they are: 1. I want to create a keyboard filter driver. Is there any method that can ensure no other filter driver (keylogger) will attach to the keyboard driver (between the keyboard driver and my filter driver) ? 2. I want to create another filter driver that will be installed nearest to a specified application (so that no other filter driver can get between this filter driver and the application). If this is possible, could anyone help me with a few links to documentation involving this kind of issues? 3. Is there any API which I can use to check whether a driver is digitally signed? Thanks in advance!
modified on Tuesday, January 29, 2008 4:50:54 PM
-
Hello! I have a few questions concerning drivers. I don't know if this is the right board to post this kind of problems but here they are: 1. I want to create a keyboard filter driver. Is there any method that can ensure no other filter driver (keylogger) will attach to the keyboard driver (between the keyboard driver and my filter driver) ? 2. I want to create another filter driver that will be installed nearest to a specified application (so that no other filter driver can get between this filter driver and the application). If this is possible, could anyone help me with a few links to documentation involving this kind of issues? 3. Is there any API which I can use to check whether a driver is digitally signed? Thanks in advance!
modified on Tuesday, January 29, 2008 4:50:54 PM
Eikthrynir wrote:
1. I want to create a keyboard filter driver. Is there any method that can ensure no other filter driver (keylogger) will attach to the keyboard driver (between the keyboard driver and my filter driver) ?
The only thing I can think of is modifying the EAT of ntoskrnl and hooking IoCreateDevice. You would need to block devices of type FILE_DEVICE_KEYBOARD from being created. Perhaps the same could be accomplished later by hooking IoAttachDeviceToDeviceStack.
Eikthrynir wrote:
2. I want to create another filter driver that will be installed nearest to a specified application (so that no other filter driver can get between this filter driver and the application). If this is possible, could anyone help me with a few links to documentation involving this kind of issues?
Your ring-3 application will need to communicate with the keyboard filter driver through an IOCTL dispatch interface. You could obfuscate or encrypt communication with the driver, and/or from within the driver you should verify the sender by checksum of its PE image or whatever clever scheme you can think of.
Eikthrynir wrote:
3. Is there any API which I can use to check whether a driver is digitally signed?
Perhaps you should read some Microsoft documentation about kernel driver signing. http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx[^] Best Wishes, -David Delaune
-
Eikthrynir wrote:
1. I want to create a keyboard filter driver. Is there any method that can ensure no other filter driver (keylogger) will attach to the keyboard driver (between the keyboard driver and my filter driver) ?
The only thing I can think of is modifying the EAT of ntoskrnl and hooking IoCreateDevice. You would need to block devices of type FILE_DEVICE_KEYBOARD from being created. Perhaps the same could be accomplished later by hooking IoAttachDeviceToDeviceStack.
Eikthrynir wrote:
2. I want to create another filter driver that will be installed nearest to a specified application (so that no other filter driver can get between this filter driver and the application). If this is possible, could anyone help me with a few links to documentation involving this kind of issues?
Your ring-3 application will need to communicate with the keyboard filter driver through an IOCTL dispatch interface. You could obfuscate or encrypt communication with the driver, and/or from within the driver you should verify the sender by checksum of its PE image or whatever clever scheme you can think of.
Eikthrynir wrote:
3. Is there any API which I can use to check whether a driver is digitally signed?
Perhaps you should read some Microsoft documentation about kernel driver signing. http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx[^] Best Wishes, -David Delaune
At the second question I forgot to mention that the application I want to communicate with is not created by me. So it's impossible for me to modify it. I'm searching for a solution involving the modification of the driver only...