Hello Everyone. Firstly Sorry for my bad English. But i will try explain my problem .
I need process monitor wdm driver which driver get newly created process and send process exe path to usermode app after user mode app scan file it send true or false to driver to block or allow operation. yesterday I write my test driver but without blocking process creation.
Firstly in DriverEntry function I call IoCreateDevice and IoCreateSymbolicLink for user mode communication. After this I call IoCreateNotificationEvent(\\BaseNamedObjects\\testevent) for signal user mode app.Then I register PsSetCreateProcessNotifyRoutineEx. Inside callback function I get newprocess exe path and copy it global wchar variable(wchar pathname and then with KeSetEvent and signal usermode app .On the usermode side UserOpen event obj with OpenEvent (testevent) and in while block user mode call WaitForSingleObject(testevent) when new process create driver copy name to global var signal user mode process and usermode send IOCTL_GET_PATH to driver .driver copy global var to user buffer and return.After this user mode app prints pathnames to console output. I tested this lots of computer and lots of process and it works fine but it suprised me)) because i didnt use any sync(mutex spin etc) operation but userapp without any problems writes all new processes path to console? So my first question is can I use this method( when i dont want to block process,I only want write newly created process path to console) Can it makes any problem for me ?
My second question about prevent newly created processes.
I didnt test it its only my opinion .Before all , user mode app Create new handle and with DeviceIoControl send handle to driver.kernel layer driver copy this handle to global variable.( I use ObReferenceObjectByPointer) and inside callback function driver first copy new process pathname to global var then signal usermode and after this driver get wait state with WaitForSingleObject(wait for handle which user sended) and in user layer after usermode process scan filename then send answer (1 or 0) to driver with ioctl ,driver copy answer global variable and then userapp signal event which driver wait. Driver WakeUp and read answer which contains true or false and do next job.
Again sorry for my bad English .I hope someone can help me