Redirect a process execution

0ueldz4 · June 8, 2015, 5:45pm

Hello all,

Everything is in the title. I’m trying to redirect a process execution to another via IRP in my minifilter. For example : When I double click on old.exe I want instead of executing old.exe execute new.exe.

I tried to do it on (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection == PAGE_EXECUTE) but it doesn’t seem to work. What about doing the same for dlls, would it be possible ?

Thanks in advance for any help

Gregory_G_Dyess · June 8, 2015, 6:09pm

Standard response #17: WHY? What are you REALLY trying to accomplish and WHY do you think Xxx is the way to do it?

— xxxxx@hotmail.fr wrote:

From: xxxxx@hotmail.fr
To: “Windows System Software Devs Interest List”
Subject: [ntdev] Redirect a process execution
Date: Mon, 8 Jun 2015 17:44:25 -0400 (EDT)

Hello all,

Everything is in the title. I’m trying to redirect a process execution to another via IRP in my minifilter. For example : When I double click on old.exe I want instead of executing old.exe execute new.exe.

I tried to do it on (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection == PAGE_EXECUTE) but it doesn’t seem to work. What about doing the same for dlls, would it be possible ?

Thanks in advance for any help

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

0ueldz4 · June 8, 2015, 6:17pm

Hi Gregory,

For monitoring stuff
Because I’ve been around lately on IRP, and understand that we can change a lot of behaviors.
Unless you have some more clarifications, I’ll be taken them to account

Thanks.

Gabriel_Bercea · June 9, 2015, 3:26am

I would try to reparse it even earlier in Create. Between Create file and
acquire section there might be other calls in between to query file info so
confusion might occur from the callers point of view.
How does one do monitoring using this method ?
On Jun 9, 2015 12:17 AM, wrote:

> Hi Gregory,
>
> For monitoring stuff
> Because I’ve been around lately on IRP, and understand that we can change
> a lot of behaviors.
> Unless you have some more clarifications, I’ll be taken them to account
>
> Thanks.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

0ueldz4 · June 9, 2015, 4:27am

I’ve changed the MajorFunction to IRP_MJ_CREATE with the FILE_EXECUTE flag on desiredAccess and it did work on exe files. But on dlls, it doesn’t seem to work. I’m wondering what would be the difference at this stage between exe and dlls files.