I able to block the Application using minifilter by blocking IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION call back .
Is it Possible to block the same in legacy file system filter driver
Don’t you want to post this to the NTFSD category?
Peter
What about using PsSetCreateProcessNotifyRoutineEx routine?
Regards,
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br
What about using PsSetCreateProcessNotifyRoutineEx routine?
This is just a notification routine, so that it does not offer an option of telling the system whether it should proceed with the process creation. Certainly, you can try to terminate the process in question at some later stage once you have been informed about it, but this option is, probably, not really the optimal one. However, if you prevent the creation of the target executable section, a caller of ZwCreateProcess() is going to be unable to provide a valid handle to executable section, which happens to be a crucial parameter to the process creation (a newly-created process has to inherit the address space of some existing process if it is NULL) . As a result, you will prevent a process that is based the target executable image from being created, and do it at the earliest possible stage.
However, the amount of work required for writing a FS filter is simply incomparable to the one that the solution based upon PsSetCreateProcessNotifyRoutineEx() involves. Many years ago (back in pre-Vista days) I used to block the process creation by means of hooking ZwCreateSection() system call, but these days such a solution would be considered worse than a sub-par one. Therefore, the OP should at least take your suggestion into consideration if he wants to make his project work within a visible timeframe
Anton Bassov
PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/ns-ntddk-_ps_create_notify_info
You can also take advantage of FsRtlRegisterFileSystemFilterCallbacks and register the PreAcquireForSectionSynchronization callback.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-fsrtlregisterfilesystemfiltercallbacks
Parameters of the callback quite reflects the minifilter world.
PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).
Probably I just got the OP wrong, but the way I understood him, he wants to implement process-blocking functionality on some ancient system. Otherwise, his original question does not really make any sense - he already knows that it can be done by minifilter, but still he asks how it can be done by a legacy one. Assuming that he is speaking about some pre-Vista system, this functionality is unavailable
(in fact, as well as Ex variant, in the first place - I just overlooked “…Ex” part)…
Anton Bassov
thank you all
Actually I need to block the application in windows 7 and later OS
I am using legacy file system driver for my project.Is it possible with legacy driver ?
Actually I need to block the application in windows 7 and later OS
I am using legacy file system driver for my project.Is it possible with legacy driver ?
Assuming that your target platform supports PsSetCreateProcessNotifyRoutineEx() ,who holds you back from using it in your existing legacy FS filter driver? It seems to be the easiest way to go,don’t you think?
Anton Bassov