Kernel Callback
Table of content
Introduction
The kernel's callback mechanism provides a general way for drivers to request and provide notification when certain conditions are satisfied.
Kernel callbacks allow drivers to be notified for specific events. The driver can register a callback”in its code for any supported action. It will then receive a pre or post notification when the targeted action is performed. However callbacks will not perform any modification to the underlying Windows Kernel thus, avoiding any BSOD due to KPP.
The driver can register to an event list through the Win32 API such as the PsSetLoadImageNotifyRoutine.
This specific API allows a driver to be notified whenever an image such as a DLL or an EXE has been loaded.
In the following example, the function ObRegisterCallback is used to define two callbacks (PreoperationCallback and PostOperationCallback) to stop the creation of the notepad.exe process.
EDR usually do not use this method but it is a good example of how kernel callbacks can be used.
Callback message examples
For example, the following code :
#include <windows.h>
#include <stdio.h>
int main()
{
HMODULE hModule = LoadLibraryA("winhttp.dll");
printf("WinHTTP: 0x%p\n", hModule);
return 0;
}
An event is generated by the kernel and caught with PsSetLoadImageNotifyRoutine:
Image loaded:
RuleName: -
UtcTime: 2022-04-29 18:50:10.780
ProcessGuid: {3ebcda8b-3362-626c-a200-000000004f00}
ProcessId: 6716
Image: C:\Users\admin\Desktop\main.exe
ImageLoaded: C:\Windows\System32\winhttp.dll
FileVersion: 10.0.19041.1620 (WinBuild.160101.0800)
Description: Windows HTTP Services
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: winhttp.dll
Hashes: SHA1=4F2A9BB575D38DBDC8DBB25A82BDF1AC0C41E78C,MD5=FB2B6347C25118C3AE19E9903C85B451,SHA256=989B2DFD70526098366AB722865C71643181F9DCB8E7954DA643AA4A84F3EBF0,IMPHASH=0597CE736881E784CC576C58367E6FEA
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: PUNCTURE\admin
Sysmon
Sysmon is a tool from the SysInternals Suite that can be used to collect several event types generated by the Kernel. Sysmon will create a service and install the SysmonSys driver.
A configuration file is needed during the Sysmon installation:
<Sysmon schemaversion="4.50">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<CheckRevocation/>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<Image condition="end with">KernelCallbacks.exe</Image>
</ImageLoad>
</RuleGroup>
</EventFiltering>
</Sysmon>
This configuration file will only monitor ImageLoad events (events raised by LoadLibrary).
The Sysmon driver can be installed with :
Sysmon.exe -i ${configFile}
And uninstall with :
Sysmon.exe -u
The Sysmon event can be analyzed with the Windows Event Viewer :
Aplications and Services > Microsoft > Sysmon
Windows functions
| Notification routine | Description |
|---|---|
| PsSetCreateProcessNotifyRoutine | Register a callback that is notified when a new process is created or deleted. It can be used to prevent process creation or termination |
| PsSetCreateThreadNotifyRoutine | Register a callback that is notified when a new process is created or deleted. It can be used to prevent thread creation or termination |
| PsSetLoadNotifyRoutine | Register a callback that is notified when a new image is loaded or mapped in memory. It can be used to prevent DLL remapping used to remove user-mode hooks. |
| ObRegisterCallbacks | Register a list of callback routine for thread, process and desktop handle operation. It can be used to filter permission on call to OpenProcess, OpenThread and DuplicateHandle |