I want a suspicious process in isolated mode…
I am able to deny access to handle on create/open process and thread using obregistercallback…
it has desktop objects too but supported from windows 10, i want it to work from windows vista…
anyway to do it from driver and support from vista
No way without some hacks (which I think will now trigger a PG crash on
8.1+) but you can use the google to find articles on ways to do it. And
you need to define what you mean by isolate. If you are just going to deny
access to all objects then you minus well just terminate the process. But
if you want to redirect and sandbox it, then you’ll need more than just
ObCallbacks.
On Thu, Dec 24, 2015 at 12:33 AM, wrote:
> I want a suspicious process in isolated mode…
> I am able to deny access to handle on create/open process and thread using
> obregistercallback…
> it has desktop objects too but supported from windows 10, i want it to
> work from windows vista…
> anyway to do it from driver and support from vista
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
yes i know, i have rediredcted the createfile calls, registry calls, now i want to protect kernel objects from misuse… I am able to deny access if it tries to open handle to a non-isolated process/thread…
i dont want the isolated process to open a desktop handle and perform operations on it…
If you know any useful pointers can you share the links… 
Deepak
> Deepak Mahale wrote:
i dont want the isolated process to open a desktop handle and perform operations on it…
Try SetProcessMitigationPolicy + PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY flag.
When this flag enabled, the process is not permitted to perform GUI system calls.
Hi Aleh,
I think this is a Desktop API…
I want to implement this in kernel, is there anyway to accomplish this…
I checking avast antivirus, since they seem to implement something that hides their desktops from functions like enumdesktops and opendesktop, i found out that they use ExDesktopObjectType, but dunno how…
Any ideas???
can anyone tell me the use of ---- ObjectTypeInitializer.OpenProcedure
Run your untrusted process under separate unprivileged account on a dedicated desktop. You don’t need any kernel mode stuff to do that, it can be done by a usermode monitor.
> i dont want the isolated process to open a desktop handle and perform operations on it…
Forget it - you cannot sandbox a process under Windows without MAJOR hacks that turn the system upside down and inside out. This is not how Windows security model works, at least as far as kernel objects are concerned (although two separate desktops that may happily coexist under the same user account are, indeed, not allowed to exchange window messages with one another). However, a desktop itself is a kernel object, so that, as long as two destop object are associated with the same user account, a process associated with Desktop X can always open a handle to Desktop Y…
Anton Bassov