Hi All,
I’m basically trying to develop an application control/whitelisting security mechanism.
The basic idea is to have a list of trusted applications, and if any untrusted applications try to run I’ll block its execution.
Basically this commercial product is pretty much the jist of what I’m trying to achieve:
http://www.bit9.com/products/parity.php
Right now, I have a kernel mode driver which sets notification routines using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.
In my LoadImageNotifyRoutine, I’m able to get the full path to the executable file and verify if it belongs on my white list.
Now, my only difficult is figuring out how to stop the process from being executed.
I’m thinking of creating a worker thread from my LoadImageNotifyRoutine which will then call ZwOpenProcess followed by a zwterminateprocess. However, I’m afraid that this might be too late, and that the process would already have been created. So the user will see the application open for a split second and then close.
Has anybody done something like this before? Or have any ideas on how to proceed?
Appreciate the advice,
Thanks in advance
- Kelvin