C++ Possible to access kernel-mode registry key accesses?

Question

When I used C# i was only able to access user-mode registry accesses.

Is it very difficult to access kernel-mode registry accesses using C++?

I recall reading somewhere I may have to create a dummy windows driver or something?

EDIT: Basically as a hobby project I wish to create a simple registry monitor. However, I do want to catch kernel mode (as well as user mode) registry accesses..... last time I did this, using C# I could not access the kernel mode activity.

Answer 1

There are two ways to achieve this:

• Hook the relevant functions in the kernel - the traditional way - which requires a C/Kernel Driver. This is possible on x86 Windows, but on x64 Kernel Patch Protection will detect these modifications and shut down the system (with a bluescreen).

• Build a registry filter driver - this is the now encouraged way to attack this problem and is the way process monitor works. You can also build file system filter drivers this way. Essentially, you simply need to pass the information back to userland which boils down to:

  IoRegisterDevice(...somewhere in \Devices\YourDriverName...)
  IoCreateSymbolicLink(\\DosDevices\Name -> \Devices\YourDriverName)
  

  then a C, C++, C# application should be able to open the file \\.\YourDriverName and DeviceIoControl to it and receive responses.

It is possible to use C++ to write kernel drivers, but see this before you embark on doing so. To be clearer, you need to be really careful about memory in kernel mode (paged, nonpaged) and you're not going to have access to much of the standard library.

As an aside, you should be aware that:

• Not all registry hives are accessible to kernel mode drivers, depending on context.
• The paths are not common. So the kernel accesses \Registry\System whereas userland accesses HKLM.