Technical Description of the Registry Driver

Follow

Summary



This Knowledgebase article provides a technical description of the registry driver.


More Information

The Registry Driver HookRegistryDriver.sys

The code can be broken up into three parts. Two of these parts are registry interception methods one of which we refer to as 'hookers' and one of which we refer to as 'callbacks'. The third of these parts is a set of utility methods.

When the driver loads (the first time Heartbeat starts since the operating system is started, because the driver never unloads) it makes a run time decision about which of the two interception methods it uses; either hookers or callbacks. In either case, the driver always uses the utility functions.

The runtime decision is based on the windows version and the optional registry VALUE (not key) HKLM\Software\Neverfail\R2\HookRegistryDriver\UseNewApi.

  • If the Windows version is before Windows 2003 then the hookers are used and the registry value is not considered.
  • If the windows version is Windows 2003 or later (later meaning service packs) the driver will as a default use the callbacks method but will also examine the optional registry value:
    • If the registry value is present and is zero then the driver will use the hookers.
    • If the registry value is absent or the registry present and is non-zero then the driver will use the callbacks.

As a comparison, this is what we would like the driver to use:

  • Windows 2000: Use hookers.
  • Windows 2003:
    • NO SP: use hookers
    • SP1 or later: use callbacks

The hookers interception method is so called because it uses System Service Dispatch Table (SSDT) hooking techniques; in essence, it hooks certain kernel functions. We developed this method for Windows 2000.

In Windows 2003, Microsoft introduced a "new api" called "registry callbacks" and the callbacks method uses this new api.

The /3GB Option

When we ported our product to Windows 2003 we found that if the /3GB boot switch is used then the SSDT part of the kernel is "protected" and the hookers method did not work; it caused a bluescreen. Therefore, we developed the callbacks method. We then found that there was a bug in the implementation of the new api on Windows 2003, which meant that in fact the new api could not be used; it caused a blue screen.

We updated the Heartbeat installer (setup) to check the service pack level and set the UseNewApi registry value to zero for Windows 2003 NO SP, but also to refuse to install on Windows 2003 NO SP if the /3GB switch was present in the boot options.

It would have been better to alter the driver to check the service pack level. Example of possible issue: When a customer has Windows 2003 NO SP, installs Heartbeat, and later installs SP1: the driver continues to use the hookers instead of the callbacks due to the presence of registry value UseNewApi with data value zero.

During the development work for Microsoft Certification of Heartbeat [V5.0.0] one of the requirements was that our product behaves well enough when subjected to kernel low resource simulation. The registry driver did not behave well enough in these tests in fact it caused bluescreens. Therefore, we had to change that driver and when we made those changes, a mistake was made: we introduced a kernel page pool memory leak in one code path in one of those utility functions.

The function with the leak is used in the driver whether we are using hookers or callbacks. It turns out however that the particular path through the code in that function which has the leak is expected (and this is proven) to be executed where the hookers are being used, and is not expected (but this is not proven) to be executed where the callbacks are being used. This is the reason why the central matter is whether the hookers or callbacks are being used, as opposed to the windows version. We have seen that the hookers are expected to be used on Windows 2000, and Windows 2003 NO SP, and might even remain in use on Windows 2003 SP1[+].

The same code in the same utility function is also present in all versions 5.0.x and version 5.1.0 of Heartbeat.

The Patch

The patch that has been created just removes the memory leak from the code path in the utility function for Heartbeat V5.0.3. It can be installed on all of the x86 operating systems versions. It removes the leak for Windows 2000 and for Windows 2003 NO SP. If we are using the hookers on Windows 2003 SP1 or later it also removes the leak there but in this case it is preferable to remove the UseNewApi value which has the same effect for the leak.

The sting in the tail is that we find on Windows Server 2003 SP1[+] the hookers method seems to work (does not bluescreen) irrespective of whether or not /3GB boot option is used. This is due to a change in the Windows memory manager introduced in SP1. So for x86 platform, there never was a point in development of the callbacks method.


Applies To

Neverfail Heartbeat v6.2.[n] and Earlier


Related Information

None

KBID-1168

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.