Since there is no such PsSetCreateProcessNotifyRoutineEx, according to
Microsoft a mini filter driver need to be developed.
My design was to register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and
check for executable created section in order to spot a loaded module.
On every loaded module I want to pend the IRP and insert it into a queue
and in simultaneously a thread worker will poll the IRP and send the
information to a user mode application that will allow/disallow
execution(STATUS_ACCESS_DENIED) of the module.
So I took the CancelSafe sample and change it that it will register on
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but I got a BSOD.
The problem seems to be in the handler of FltCbdqInsertIo - I tried to find
something that it’s unique for IRP_MJ_READ in order to change it and make
it compatible with the new registered IRP.
This is my analyze -v:
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
*** No owner thread found for resource 80551160
*** No owner thread found for resource 80551160
*** No owner thread found for resource 80551160
*** No owner thread found for resource 80551160
*** No owner thread found for resource 80551160
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: System
FAULTING_IP:
fltMgr!FltpInsertIrp+24
f84ccee4 80490301 or byte ptr [ecx+3],1
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000003
FOLLOWUP_IP:
KProcessMonitor!PreRead+1a5
[c:\projects\arim\kprocessmonitor\kprocessmonitor\kprocessmonitor.c @ 1570]
f89eb1b5 8945fc mov dword ptr [ebp-4],eax
BUGCHECK_STR: ACCESS_VIOLATION
WRITE_ADDRESS: Target machine operating system not supported
00000003
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
CPU_COUNT: 1
CPU_MHZ: af7
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 49’00000000 (cache) 49’00000000
(init)
ANALYSIS_SESSION_TIME: 12-25-2017 08:34:56.0625
ANALYSIS_VERSION: 10.0.16299.91 x86fre
LOCK_ADDRESS: 805511e0 – (!locks 805511e0)
Resource @ nt!IopDeviceTreeLock (0x805511e0) Shared 1 owning threads
Threads: 823c63c8-01<*>
1 total locks
PNP_TRIAGE:
Lock address : 0x805511e0
Thread Count : 1
Thread address: 0x823c63c8
Thread wait : 0x8b5b
LAST_CONTROL_TRANSFER: from f84cd85b to f84ccee4
STACK_TEXT:
f8af5188 f84cd85b 820dc6d4 f8af52d8 00000000 fltMgr!FltpInsertIrp+0x24
f8af51ac f84ccfca 820dc6d4 f8af5200 81f9e718
fltMgr!FltpIoCsqInsertIrpEx+0x49
f8af51cc f89eb1b5 820dc6d4 822d32fc 81f9e718 fltMgr!FltCbdqInsertIo+0x2c
BTW nothing to do with this problem, there are number of BSODS around
FltStartFiltering(Globals.FilterHandle);
and FltUnregisterFilter(Globals.FilterHandle);
it’s always PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: e1e13470, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f84d6d9d, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)