5

I am trying to build a very simple driver. Its sole purpose will be to register "PsSetCreateProcessNotifyRoutine" and on callbacks recieved from kernel, notify my Win32 application about which proccesses are started and stoped.

I only know how to build such a simple driver with "DriverEntry" and "DriverUnload" and compile it with DDK. But I don't know how to actually implement communication. I know it can be done with IOCTL. But beyond that I am in the dark. I cannot find simple example of how to do that in Delphi. I only know it can be done.

So what I am looking for is some simple and understandable tutorial on how to do it or event better an example delphi program with acompaniying driver code. Maybe there are even other ways of communication.

Any help would be appriciated.

Runner
  • 6,073
  • 26
  • 38
  • 2
    Runner check this question http://stackoverflow.com/questions/3489501/how-to-recognize-that-an-application-intends-to-execute-run-a-file/3489779#3489779 the WMI has the `ExecNotificationQuery` event with in conjunction with the `Win32_Process` class can detect when a process start or is stopped. – RRUZ Nov 29 '10 at 16:55
  • Thanks for the info. I generaly do not like WMI, but in this case it is worth a look. A driver is really a quite drastic choice here even if very effective. – Runner Nov 29 '10 at 20:35
  • @RRUZ, your comment was very good, but I accepted the answer from himself, which was also good and was the answer to the actual question. – Runner Dec 02 '10 at 17:16

1 Answers1

2

Doesn't matter if in Delphi or not. You have to use the function DeviceIoControl. Read the article in MSDN about it.

In short, you'll have to choose some IOCTL codes from the available set. Then you call DeviceIoControl with one of these codes and pass some data, and in driver you handle that request and return something else.

You can also handle standard IOCTLS, such as the ones generated by calling ReadFile or WriteFile in user-mode.

Don't look for a "tutorial how to do that in Delphi", just look for any tutorial. They're all the same, no matter the language, it's pure Win32/Native api stuff. Here's one for example, just googled it out.

himself
  • 4,806
  • 2
  • 27
  • 43
  • Thanks, will have a look. I said delphi example, because often you have to define constants, function prototypes etc or look for definitions already made. I would not like to go through that if I don't have to. I don't look for shortcuts, just knowledge of someone that already did that. – Runner Nov 29 '10 at 16:52
  • 2
    Translation of almost all API headers is available at JEDI (http://delphi-jedi.org/). But I think you don't need much from user mode, it's just DeviceIoControl and standard Win32 functions (CreateFile etc), all defined in Windows.pas. – himself Nov 29 '10 at 17:02