Hi,
I register callback for OB_OPERATION_HANDLE_CREATE, in pre-callback function,
I will check the process Id is my process and it is going to terminate, I will disable it as below:
processId = PsGetProcessId((PEPROCESS)OperationInformation->Object);
if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
If I try to kill the process from the task manager, it was blocked, but if I use the command in dos promt as below, the process still was terminated.
taskkill /pid processId
Anyone knows what else I missed?
Thanks in advance
Victor
Is there anyone knows that if there are a bug or something else?
Thanks
Victor
73_8A
3
No, this is not a bug. Because “taskkill” is used “PostMessage”
Thanks for your reply.
Do you have idea how to prevent the termiation using “PostMessage”?
Thanks
Victor
I am using the example “obcallback” from WDK, so it can’t prevent the process from being terminated via the command “taskkill /pid processId”?
Is there walk around to prevent the process from being terminated?
Thanks
Victor
What you have seen could have very well been click on the X on the top right of the icon
This is a “here we go again” post
The short answer to what you are asking is: NO.
The long answer, I’m fairly sure you’ll get from someone here.
Cheers