0

I want to create a kernel level of process for windows (Ring 0) but i don't know where to start from. I want to know which SDK is required and any tutorial showing its implementation would be helpful.

Raj
  • 3,890
  • 7
  • 52
  • 80
  • 2
    Why? What kind of program are you planning to write that you think requires kernel privileges? If your program crashes or otherwise does something wrong it will take down the entire system. That doesn't bode well for usability at all. – In silico Feb 07 '11 at 13:19
  • What do you need kernel level access for? There's probably a safer way of achieving what you're after.. – Jon Cage Feb 07 '11 at 13:21
  • I agree with both those comments. Kernel is for drivers only. Use a user-level Windows service for things that you want to appear to be OS services. – kenny Feb 07 '11 at 13:28
  • i need to write user activity moniter app & this process shouldn't be killed any level of user. Basically it should not be visible in task manager or services. I read some where that only kernel mode process can help me doing so. If i am wrong then correct me plz. – Raj Feb 07 '11 at 13:29
  • 6
    @RAJ K: Please, please, **please do not create processes that do not show up in the Task Manager**. It doesn't have to be killable by non-admin users, but it should at least show up so I *know* it's there! And it should be *controllable by administrators*, because that's *the administrator's job.* That's what it means to be *an administrator.* Just make your activity monitor run as an unkillable process under nonadmin user accounts, then use an admin account to control the monitor and review activity logs and such. – In silico Feb 07 '11 at 13:34
  • for more info about this question, see his other question: http://stackoverflow.com/questions/4918329/how-to-create-a-process-which-is-not-visible-in-task-manager-or-services-list – tenfour Feb 07 '11 at 14:01
  • 1
    Why should we help you write your malware? – David Heffernan Feb 07 '11 at 14:02
  • If you need kernel mode, write a driver. Simple as that. Nothing else actually needs to run in kernel mode, and coincidentally, there's no easy way to implement that "feature". Since it sounds like you're actually trying to write malware, I'm voting to close as "too localized". – Cody Gray - on strike Feb 07 '11 at 14:19
  • **@Cody Gray & David :**its not a malware, its client requirement. they wants it to be visible. one more thing i am not going to monitor there keyboard or clipboard. Due to NDS I can not tell the exact implementation – Raj Feb 08 '11 at 04:49
  • 1
    @RAJ: **Tell the client that what they want is impossible.** That's not a lie. You *cannot* create "kernel-mode processes", and their application doesn't qualify as a driver. You can't hide it from the Task Manager. The best you can do is hide it from the taskbar at the bottom of the screen. That should be good enough. If it's doing something *useful* for the user, they'll keep it open. Otherwise, if they go through the trouble of hunting it down in Task Manager and closing it, well they damn well want it closed and there's no way to stop them. There are tons of ways to kill processes. – Cody Gray - on strike Feb 08 '11 at 10:43

3 Answers3

6

The SDK is the Windows Driver Kit and documentation here. As a correction to your question, at kernel mode you can't use processes, since kernel-mode drivers run as part of the operating system's executive. You can create kernel threads though.

Shinnok
  • 6,279
  • 6
  • 31
  • 44
2

You are asking this in conjunction with how to create a process which is not visible in task manager or services list

Creating a kernel mode solution is going to be so much overhead to do what you want that it is really not the solution. Creating a driver as a substitute for a typical user mode desktop application is not as straight-forward as it sounds.

You should either:

  1. Use Windows security to restrict users
  2. Write your app as a service (this is still even not a good solution imo because admins can stop it and it sees 'activity' at a different level than a desktop app)
  3. Do some basic trick to prevent closing, such as two sentinel processes that watch each other and keep each other alive.
Community
  • 1
  • 1
tenfour
  • 36,141
  • 15
  • 83
  • 142
0

You can create system threads as pointed by Shinnok. Windows does not have facilities for what you are trying to do.

Satya
  • 31
  • 1