Hi,
Is it possible to Terminate a process from within a callback from PsSetCreateProcessNotifyRoutine or PsSetLoadImageNotifyRoutine?
Thanks!
Vance
The normal methods will not work, you have to really hack things to
terminate the process since the process is not totally formed at the
time of the call. This is why PsSetCreateProcessNotifyRoutineEx was
added.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Posted At: Tuesday, July 20, 2010 4:11 PM
Posted To: ntdev
Conversation: PsSetCreateProcessNotifyRoutine
Subject: PsSetCreateProcessNotifyRoutineHi,
Is it possible to Terminate a process from within a callback from
PsSetCreateProcessNotifyRoutine or PsSetLoadImageNotifyRoutine?Thanks!
Vance__________ Information from ESET Smart Security, version of virus
signature
database 5296 (20100720) __________The message was checked by ESET Smart Security.
Thank you Don.
Basically on Vista SP1 and up use PsSetCreateProcessNotifyRoutineEx: “The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code”
On Lower version: I am against hacking this thing up so If you would use a miniFilter, can you easily and reliably identify what files are opened by the purpose of being executed? I see this as one potential direction to research as well other than the callbacks.
Best!
Vance
> If you would use a miniFilter, can you easily and reliably identify what files are opened by the
purpose of being executed?
Nope…
Although minifilter provides section-related callbacks there is no one-to-one correspondence between
callback invocation and a call to ZwCreateSection() that creates executable section. This is why in order to control executable section creation on pre-Vista Windows versions you had to resort to hooking …
Anton Bassov
On Tue, Jul 20, 2010 at 5:49 PM, wrote:
> Thank you Don.
>
> Basically on Vista SP1 and up use PsSetCreateProcessNotifyRoutineEx: “The
> driver can cause the process-creation operation to fail by changing the
> CreateInfo->CreationStatus member to an NTSTATUS error code”
>
> On Lower version: I am against hacking this thing up so If you would use a
> miniFilter, can you easily and reliably identify what files are opened by
> the purpose of being executed? I see this as one potential direction to
> research as well other than the callbacks.
>
> Best!
> Vance
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Hi Vance,
I got a legacy filter the deny the process to be created properly verifying
the structure ACCESS_STATE thought the field OriginalDesiredAccess and
checking for the flag FILE_EXECUTE.
When I got it, I simple return STATUS_ACCESS_DENIED for the IRP.
It works without problem in Windows XP/2003 enviroment.However, I have no
experience with minifilters and I don?t know how to help you.
I know in the Vista version the API PsSetCreateProcessNotifyRoutineEx() has
support deny the creation of the process throught the struct
PS_CREATE_NOTIFY_INFO
and the field CreationStatus.
Ismael Rocha
“Ismael Rocha” wrote in message
news:xxxxx@ntdev…
>I got a legacy filter the deny the process to be created properly verifying
>the structure ACCESS_STATE thought the field >OriginalDesiredAccess and
>checking for the flag FILE_EXECUTE.
>When I got it, I simple return STATUS_ACCESS_DENIED for the IRP.
That can lead to lots of application compatibility problems as it prevents
the user from opening for execute even if they never plan on executing the
file. It’s hard to guess intention in the create path, you’ll find that it
works most of the time but not always.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com