I register callback for OB_OPERATION_HANDLE_CREATE, in pre-callback function,
I will check the process Id is my process and it is going to terminate, I will disable it as below:
processId = PsGetProcessId((PEPROCESS)OperationInformation->Object);
if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
If I try to kill the process from the task manager, it was blocked, but if I use the command in dos promt as below, the process still was terminated.
taskkill /pid processId
Anyone knows what else I missed?
Thanks in advance
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|