Thank you very much for sharing you knowledge, I know you have a course about this on trainsec but if possible please create a video teaching the basic of wdf.
@zodiacon
3 ай бұрын
WDF is a big topic, not suitable for a video.
@_zproxy
7 ай бұрын
nice. is the example on github?
@zodiacon
7 ай бұрын
It is now :)
@Alchemytweaks
7 ай бұрын
Sir Pavel, I would like to ask what might be a silly question and it’s out of the context of this video ... How can I verify whether something exists or not, for example, a DWORD that I added in a specific registry path that affects a certain mechanism? Secondly, is there a possibility that, by default, it doesn't exist internally in the Windows kernel in some pert of code, but changes once the respective DWORD is added? (I’m new on this part so I apologise for any misleading)
@zodiacon
7 ай бұрын
I'm not sure I understand your question, especially the second part. You can use Windows APIs like RegOpenKeyEx and RegQueryValue to find out if a key/value exists. If something changes in the Registry, you can get notifications in user mode and kernel mode. In kernel mode they are much more powerful.
@Alchemytweaks
7 ай бұрын
Excuse me, I'll rephrase it. Let's take, for example, a registry path like "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl," which has some keys at this location that exist by default. However, I find some keys that are not present by default in this location. My question is how to verify if these new keys I added are indeed valid and potentially "active" or if they are as if they don't exist. I am asking this because friends send me various keys, and when I go through the process of recording the 'before and after' using xperf, comparing the execution time in DPC/ISR before and after, focusing on the driver that will be affected by the changes, I observe some differences between the before and after. I'm not sure if I am being clear, but I hope I've clarified it now. @@zodiacon
@zodiacon
7 ай бұрын
I think I understand. There is no sure way to tell. You will have to reverse the kernel code to see if some keys/values are used. But you can use the strings.exe tool from Sysinternals or some PE viewer that can show strings within the PE. You may find various key and value names, and those are most likely used by the kernel (if they exist)
@Alchemytweaks
7 ай бұрын
Thank you very much for your time! @@zodiacon
@Alchemytweaks
7 ай бұрын
I would like to ask one last thing, if a certain 'parameterization' or registry key does not officially exist in any Microsoft documentation, is it likely that it does not exist? @@zodiacon
@amerafa1
7 ай бұрын
Hello can anyone pls give a hint on what I'm doing wrong? I'm trying to open a handle to keyboard device, check if CAPSLOCK is on and if it's turn it off. Everything is working correct except the DeviceIoControl call to turn CAPSLOCK off. #include #include #include int main() { HANDLE hDevice = CreateFile(LR"(\\.\GlobalRoot\Device\KeyboardClass0)", GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr); if (hDevice == INVALID_HANDLE_VALUE) { printf("Error opening handle to file "); return 1; } KEYBOARD_INDICATOR_PARAMETERS inputBuffer; KEYBOARD_INDICATOR_PARAMETERS outputBuffer; ULONG DataLength = sizeof(KEYBOARD_INDICATOR_PARAMETERS); ULONG ReturnedLength; inputBuffer.UnitId = 0; outputBuffer.UnitId = 0; if (!DeviceIoControl(hDevice, IOCTL_KEYBOARD_QUERY_INDICATORS, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), &ReturnedLength, nullptr)) { printf("Error sending IOCTL "); CloseHandle(hDevice); return 1; } if (outputBuffer.LedFlags & KEYBOARD_CAPS_LOCK_ON) { printf("Caps Lock is ON "); // Turn off Caps Lock inputBuffer.LedFlags = 0x0; if (!DeviceIoControl(hDevice, IOCTL_KEYBOARD_SET_INDICATORS, &inputBuffer, sizeof(inputBuffer), nullptr, 0, &ReturnedLength, nullptr)) { printf("Error setting caps lock "); CloseHandle(hDevice); return 1; } } getchar(); CloseHandle(hDevice); return 0; } Another doubt is that I'm able to open this handle with GENERIC_WRITE permission but with GENERIC_READ it doesn't work, is this a security policy to avoid getting the keys pressed from user land? Where can I find the about device objects permissions?
@zodiacon
7 ай бұрын
Make sure you're connecting to the correct device - KeyboardClass0 might not be the right one - if you have a laptop keyboard and an external keyboard for example. In some cases you won't be able to open a handle to the device (sharing violation). Also make sure UnitId is the correct index.
Пікірлер: 17