Monitoring windows kernel's services

Abstract EN

The kernel of Windows operating system provides high-level applications with the low-level functionality needed to perform system operations.

This functionality referred to as system services.

So, Controlling these services gives the ability to monitor and control important activities of the operating system. This research presents kernel hooking technique that is one of the most efficient and used technique to achieve system services monitoring. The aim of the research is how the operating system can be programmatically monitored and controlled on a system-wide basis by means of kernel hooking.

This technique was implemented in a device driver by accessing SSDT (System Service Descriptor Table) to gain the ability for manipulating and change number of effective kernel services for monitoring programs execution, deletion operations and processes termination in the system. The work has been run successfully on Windows XP SP2 and developed using DDK (Driver Development Kit) for device driver implementation and Visual C++ version 6.0 for application implementation. So, when the application is executed, programs execution, deletion, and processes termination operations have been controlled, and gives user the capability to permit performing these operations or canceling them.