Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

suggestion regarding Filter driver

santosh_menonsantosh_menon Member Posts: 5

iam creating a filter driver to block malware application, currently iam able to block malware application but windows is showing message like this
i don't want to show such messages, i want to do it silently plz help
this is my code

VOID
OnCreateProcessEx(PEPROCESS pEProcess,
HANDLE hProcessId,
PPS_CREATE_NOTIFY_INFO pCreateInfo)
{

if (pCreateInfo)
{
    UNICODE_STRING  usBlockingApp;

    .
    RtlInitUnicodeString(&usBlockingApp,
        L"\\??\\C:\\Windows\\System32\\calculator.exe");

    //Comparing the image of the process that has just been created
        // with the path I used above.
    if (RtlEqualUnicodeString(&usBlockingApp,
        pCreateInfo->ImageFileName,
        TRUE))
    {

        DbgPrint("[Process] Action = Blocking\n"
            "                 Process Id = 0x%x\n"
            "                 Parent Id = 0x%x\n"
            "                 Image name = %wZ\n\n",
            hProcessId,
            pCreateInfo->ParentProcessId,
            pCreateInfo->ImageFileName);

        //Changes the status of the process creation to stop.           
        pCreateInfo->CreationStatus = STATUS_ACCESS_DENIED;
    }
    else
    {

        DbgPrint("[Process ] Action = Starting\n"
            "                 Process Id = 0x%x\n"
            "                 Parent Id = 0x%x\n"
            "                 Image name = %wZ\n\n",
            hProcessId,
            pCreateInfo->ParentProcessId,
            pCreateInfo->ImageFileName);
    }
}
else
{

    DbgPrint("[Process Tracer] Action = Finishing\n"
        "                 Process Id = 0x%x\n\n",
        hProcessId);
}

}
plz help

Comments

  • MBond2MBond2 Member Posts: 29

    so you want the user to get no response whatsoever when they try to run somthing. then they try again three or five times and then start cursing.

  • santosh_menonsantosh_menon Member Posts: 5

    @MBond2 said:
    so you want the user to get no response whatsoever when they try to run somthing. then they try again three or five times and then start cursing.

    Actually i want to hide ugly windows message and show my custom message :)

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,628

    The problem is... the error dialog that's displayed is going to be entirely dependent on the application displaying it (back in user-mode). If somebody double-clicks an app in Explorer then it's up to Explorer. If somebody launches the app some other way, well... then the failure is going to be reported back to the user in some other way.

    Think about it: An app invokes FRED.EXE -- You block access to FRED.EXE by returning some error during the open processing. The app that invokes FRED.EXE gets back an error code. It is thus entirely up to that app what to do next.

    There's not a driver solution to this issue.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 OSR Seminar Space & ONLINE
Writing WDF Drivers 11 May 2020 OSR Seminar Space & ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA