Assuming the malware has infected the kernel, then even with that protection
there are so many things that can be done to mess up the your program. For
example, the malware can corrupt the executable so it crashes, or gently
modify it so it sleeps forever.
As Tim pointed out, once a system is infected you cannot use that system to
clean itself up. Any belief that you can is a fools errand.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Saturday, October 18, 2014 8:06 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Blocking particular process from getting terminated
Tim Roberts - Thats an interesting comment, and I generally agree with you.
However in this case, the only way I am aware of to remove the process
protection is to call ObUnregisterCallback(). Are you implying that a
malicious program can call ObUnregisterCallbacks() and remove my protection
from outside of my kernel module (.sys), or similar? Thanks.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer