Geoff Chappell, Software Analyst
This function registers a shim for eventual application to one or more drivers.
NTSTATUS KseRegisterShim ( KSE_SHIM *Shim, PVOID Ignored, ULONG Flags);
Except for KSE_SHIM, the names and types in the preceding declaration are confected for this article, Microsoft’s being unknown.
The Shim argument is the address of a KSE_SHIM structure that mostly provides input to the function but also receives some output. As input, it describes the shim, including to specify a GUID and to point to arrays of KSE_HOOK_COLLECTION structures that have pointers to arrays of KSE_HOOK structures. On output, it receives a pointer to a table of callback routines. The structure may be further edited if the shim ever is applied to any driver.
The Ignored argument appears to be ignored.
The Flags argument seems intended to offer some configurability.
The function returns STATUS_SUCCESS if successful, else a negative error code.
The KseRegisterShim function is exported by name from the kernel in version 6.2 and higher.
The KseRegisterShim function is not documented. Nor is it declared in any header from any known Windows Driver Kit (WDK).
This function is implemented as KseRegisterShimEx with NULL as the Object argument.
That might suffice as description except that a validation by KseRegisterShimEx would—if it worked—have a non-trivial implication for KseRegisterShim. The validation is that all hook routines that are specified in the KSE_SHIM must be in the same loaded module that calls KseRegisterShimEx. For registration through KseRegisterShim, the caller of KseRegisterShimEx is the kernel itself, such that KseRegisterShim should succeed only for the kernel’s own use of it to register shims that the kernel implements internally. It remains to be seen what Microsoft has in mind.