As the title implies, Im interested in protecting a windows service on older editions of Windows like Win 7 and up to the latest. Currently I
m developing a software suite that’s “anti-virus” like and I need to protect it’s main service. I do have knowledge and experience using services however until now I never had the need to “protect” it.
For the sake of testing I have inspected the antivirus I am using and it seems they are using “anti-malware light” protection. Doing some research it seems that starting from Windows 8.1 there is functionality added for this purpose: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-
Some basic tests like trying to suspend a thread fails with “Access Denied” on Windows 10, so I went ahead and tested on Windows 7 and the same thing happens. The difference is that on Windows 7 there is such “anti-malware” feature.
Upon digging a bit deeper I have noticed that the antivirus software is using callbacks (no surprise here), however I`m not sure if they are using this to protect their service as well; need to investigate more. https://prnt.sc/161cuv1
They are also using a mini-filter (again no surprise) which makes things more interesting: https://prnt.sc/161d0pv
My questions would be as follows:
- It is “ok” to use callbacks to protect your service?
- If the above does not apply, are there specific rights that can be used to prevent anyone & admin from suspending your service? (which I doubt?)
- Are there are other methods to “protect” your service?
My intentions are:
- Prevent service from being suspended (and it’s threads)
- Prevent process memory from being patched at runtime (if possible)
Your help is greatly appreciated