Hi,
I need to suspend a thread in a driver. To be more exact in the PsCreateThreadNotifyRoutine(). And I need to do it in X64 on Win7/8.
The official answer appears to be - I can’t - because there is no exported ZwSuspendthread() routine.
Unfortunately I have to do it anyway.
Do you have any idea how to do it ?
tnx,
Dietmar
Actually it is worse than you think, at least in older systems the thread
was not finished being created at the time of the
PsCreateThreadNotifyRoutine callback, so even if you could call the suspend
routine it would fail. Step back and tell us what you are trying to do.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.de
Sent: Thursday, August 01, 2013 10:02 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwSuspendThread revisited
Hi,
I need to suspend a thread in a driver. To be more exact in the
PsCreateThreadNotifyRoutine(). And I need to do it in X64 on Win7/8.
The official answer appears to be - I can’t - because there is no exported
ZwSuspendthread() routine.
Unfortunately I have to do it anyway.
Do you have any idea how to do it ?
tnx,
Dietmar
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I need to write a security software that makes sure that no unwanted software is executed.
I do not have to deal with sneaky malware stuff. There is some pre-existing software in place to deal with those. So I can concentrate on nice wellbehaved software like “calc.exe”.
I need to intercept process creation and stop any usermode software from being executed.
On top of that I need to do it userbased. “calc.exe” may be allowed for “mike” but not for “mary”.
To complicate things further - CreateProcessAsUser() cheats. It calls NTCreateThread() in the parents context and patches up the token later. So all kernel side hooks including PsCreateThreadNotifyRoutine() will report the wrong user context.
How can it be done ?
tnx,
Dietmar
The logical way to do this is to use ACL’s on the executables. So rather
than catching execution you might look at whether it makes sense to have a
file system filter that monitors executables and ensures that ACL’s are not
changed for executables and that a new executable is blocked from being run
till an appropriate action is taken. I realize this is a totally different
approach than what you were looking for but ACL’s properly managed could do
this without additional software, at most what you need to think about is
adding a tool to help manage ACL’s for your desired result.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.de
Sent: Thursday, August 01, 2013 10:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ZwSuspendThread revisited
I need to write a security software that makes sure that no unwanted
software is executed.
I do not have to deal with sneaky malware stuff. There is some pre-existing
software in place to deal with those. So I can concentrate on nice
wellbehaved software like “calc.exe”.
I need to intercept process creation and stop any usermode software from
being executed.
On top of that I need to do it userbased. “calc.exe” may be allowed for
“mike” but not for “mary”.
To complicate things further - CreateProcessAsUser() cheats. It calls
NTCreateThread() in the parents context and patches up the token later. So
all kernel side hooks including PsCreateThreadNotifyRoutine() will report
the wrong user context.
How can it be done ?
tnx,
Dietmar
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I belive ACLS are not supported on all file systems, right ?
Could you not use Software Restriction Policies (SRP) or AppLocker… ?
http://technet.microsoft.com/en-us/library/hh831534.aspx
http://technet.microsoft.com/en-us/library/hh831440(v=ws.11)
Thanks,
Arvind
First principle: only in the most rare and exotic conditions would you
need to suspend a thread
Second principle: the likelihood that you have such rare and exotic
conditions is indistinguishable from zero
Third principle: suspending a thread will cause more problems than you can
possibly imagine
Fourth principle: if, for any reason, you think you need to susped a
thread, consult the previous three principles
So, let’s start with a much more correct premise: under NO conditions, for
ANY reason, should a thread be suspended. Now, given that premise, why do
you think this is going to solve any problem? And, inevitably, what
problem are you really trying to solve?
I have a set of PowerPoint slides in my Advanced Systems Programming
course detailing why SuspendThread (the user-level API) will always cause
more problems than it could ever hope to solve.
The existence of a call does not mean you should use it. Also, you have
not said if this is an application-level thread or a kernel-level thread,
although it is a mistake to consider either one as a candidate for
suspension.
The most common error I 've seen in using SuspendThread is that some form
of thread “synchronization” is te goal, which is ALWAYS handled best by
mutexes, semaphores, and/or events.
So there are two things you must do
a) forget you ever heard of thread suspension as a programmer-level concept
b) state the problem you want to solve
joe
Hi,
I need to suspend a thread in a driver. To be more exact in the
PsCreateThreadNotifyRoutine(). And I need to do it in X64 on Win7/8.The official answer appears to be - I can’t - because there is no exported
ZwSuspendthread() routine.Unfortunately I have to do it anyway.
Do you have any idea how to do it ?
tnx,
Dietmar
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> I need to write a security software that makes sure that no unwanted
software is executed.
I do not have to deal with sneaky malware stuff. There is some
pre-existing software in place to deal with those. So I can concentrate on
nice wellbehaved software like “calc.exe”.
Note that thread suspension would be a total disaster for this purpose.
In the list of “rare and exotic” conditions I mentioned earlier, this
purpose would be in the compenent of the set.
I need to intercept process creation and stop any usermode software from
being executed.
You seem to be cofused between the concepts of “process” and “thread”.
You will need to clear up this confusion before you can proceed. Where,
for example, did you get the idea that malware needs to create a process
to accomplish its task? You are making the same mistake all newbies make:
you don’t understand the huge number of available attack vectors, and
think that closing the barn door will solve all probles when you don’t
know anything about the costruction of barns.
And, of course, the usual caveats apply: if te kernel has been
compromised, everything you do is without meaning.
On top of that I need to do it userbased. “calc.exe” may be allowed for
“mike” but not for “mary”.
Why have failed to understand te concept of ACLs and what they are used
for? To prevent a particular user from executing a program, you just deny
that person (or group, but let’s not run into all of this too quickly) the
right to execute it. So, here’s a new plan for you
a) stop what you are doing. You are wasting your time
b) read about ACLs
c) before embarking on a p-baked idea, for p < 0.01 (p == 0.5 is
half-baked), decide why your hacked-together pseudo-solution
accomplishes something above and beyond what is already built into the
kernel
d) before asking us how to do something that is between foolhardy and
dangerous, explain why this action is solving a problem that is already
solved
To complicate things further - CreateProcessAsUser() cheats. It calls
NTCreateThread() in the parents context and patches up the token later. So
all kernel side hooks including PsCreateThreadNotifyRoutine() will report
the wrong user context.
Suppose you do not want “Mary” to run calc.exe. Deny access to Mary. Now
use CreateProcessAsUser. Report if it succeeds or fails. If it succeeds,
file a bug report with Microsoft.
You are caring about tbe wrong thing, at the wrong level. So don’t be
surprised when you see odd behavior.
Note that if ACLs solve your problem, in indicates you have a deeper
problem: attempting to build bad solutions to non-problems
joe
How can it be done ?
tnx,
Dietmar
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> So, let’s start with a much more correct premise: under NO conditions, for ANY reason,
should a thread be suspended.
…
The existence of a call does not mean you should use it.
Well, as it normally happens with absolute statements that allow no compromise, this one is simply wrong…
For example, consider writing a debugger - a thread created by debuggee app has to be under the control of the debugger process, right. This is where calls like SuspendThread() and SetThreadContext() come in handy.
Having said that, I have to make it clear that functions like SuspendThread() and SetThreadContext() are NOT
meant for the general-purpose use, and, indeed, have a hight potential for causing havoc if used improperly.
For example, consider what happens if you suspend a thread at he moment it owns a critical section…
Anton Bassov
I taught my Advanced Systems Programming course at the customer’s
development lab. VS2005 had been installed on all the machines. But the
AV software blocked the creation of .exe files, so the linker could not
create any files. The IT people would not allow the AV software to be
disabled. Fun ensued, and we solved it when the students each brought
their own desktop machine to the lab every morning. So the problem of
preventing creation of executables already has a solution.
But newbies read about a few calls and are convinced they can write some
kind of anti-malware solution. I’ve never yet seen one I couldn’t
circumvent with less tan five minutes’ thinking, and this one took less
than 30 seconds to find all possible ways it can fail to accomplish its
goals. No, not “all”, just a half-dozen or so. Malware authors could,
with the same effort, come up with dozens more.
By the way, some of those ways I’ve thought of were ways I had already
shown in my Windows Security course.
joe
The logical way to do this is to use ACL’s on the executables. So rather
than catching execution you might look at whether it makes sense to have a
file system filter that monitors executables and ensures that ACL’s are
not
changed for executables and that a new executable is blocked from being
run
till an appropriate action is taken. I realize this is a totally
different
approach than what you were looking for but ACL’s properly managed could
do
this without additional software, at most what you need to think about is
adding a tool to help manage ACL’s for your desired result.Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.de
Sent: Thursday, August 01, 2013 10:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ZwSuspendThread revisitedI need to write a security software that makes sure that no unwanted
software is executed.
I do not have to deal with sneaky malware stuff. There is some
pre-existing
software in place to deal with those. So I can concentrate on nice
wellbehaved software like “calc.exe”.I need to intercept process creation and stop any usermode software from
being executed.
On top of that I need to do it userbased. “calc.exe” may be allowed for
“mike” but not for “mary”.To complicate things further - CreateProcessAsUser() cheats. It calls
NTCreateThread() in the parents context and patches up the token later. So
all kernel side hooks including PsCreateThreadNotifyRoutine() will report
the wrong user context.How can it be done ?
tnx,
Dietmar
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>> So, let’s start with a much more correct premise: under NO conditions,
> for ANY reason,
> should a thread be suspended.…
> The existence of a call does not mean you should use it.
Well, as it normally happens with absolute statements that allow no
compromise, this one is simply wrong…
Remember my policy on statements like this: newbies need a very simple set
of rules to follow to keep them from getting into trouble. Give them
rules that have too many qualifying clauses, and they will interpret one
of those clauses as covering the case they want, and go ahead and do it.
Things that you, or I, or Peter can do because we well-and-truly
understand Windows at a deep level, will only get a newbie into an
unrecoverable situation. One of the problems of teaching is making sure
beginners do not blow themselves up, in some cases, literally. Someone
who asks how to use SuspendThread is probably not qualified to use it.
For example, it is a good idea to tell a student pilot “Do not attempt a
takeoff when the crosswinds exceed 20 knots”. At some point, when the
student has enough hours in, the instructor will expose him/her to 30-knot
crosswinds. I was not taught spin recovery until I had enough hours in
that the instructor trusted my ability to get out of it without ripping
the wings off the plane.
“A superior pilot is someone who uses his superior judgment to avoid
getting into situations in which his superior skill is required for
survival”
You don’t take a 5-hour pilot and let him/her take off under IFR
(Instrument Flight Rules) conditions. A Navy pilot does not make his/her
first landing on a carrier. Your first exercise in the gym is not doing a
500-pound bench press (my triumph last week was moving from 4lb to 5lb
weights; a friend of mine the next station over was doing the same
exercise with 55lb weights)
Object lesson: a friend called me one night and said, “Did you hear about
JFK, Jr?” “No…” “He offed himself” “???” “Yes, with under 100 hours, he
flew over the ocean at night”. Yep. Because his instructor never gave
him the simple rule “Do not fly over the ocean at night” Lots of pilots
fly over the ocean at night. But those that survive didn’t do it with
less than 100 hours’ experience. So I learned to always give simple,
uncompromising rules. By the time the person recognizes the simplistic
nature of the rule, there’s enough background to know how to deal with it.
“Physics is taught by an ever-more-refined series of lies”. We teach
simple Newtonian mechanics. We progress through classic electromagnetism,
classic nuclear physics, special relativity, general relativity, quantum
physics, quantum electrodynamics, …
At each level, the student is told why the “truth” is not really the
truth, but the truth /really/ is…
My undergraduate major was math, with a minor in physics, but the year I
graduated the school decided to stop offering minot degrees on the
documents. About a decade ago, I read an introductory text on QED, and
when I was done, my reaction was “OMG! Physics is far simpler than what I
studied!” I worked two summers in a metallurgy research lab. I know how
I was taught math, chemistry, and physics. For some reason, we do not
have the same structure to software teaching. I’m trying to bring that
structure back.
SuspendThread is a very, very dangerous call. It should not be used in a
casual fashion, and certainly not by someone trying to implement such a
p-baked solution.
You can pull out all the weird exception cases and claim that my “absolute
rule” is wrong, but actually, these exotic cases merely strengthen my
point. Kids, don’t try this at hone.
[I once bought a book on “science experiments to do at home”, and one of the project involved using red potassium, a chemical so toxic that 0.2mg is the adult lethal dosage (not LD50, the dosage with 50% lethality, but LD100). SuspendThread has many of the same properties]
joe
For example, consider writing a debugger - a thread created by debuggee
app has to be under the control of the debugger process, right. This is
where calls like SuspendThread() and SetThreadContext() come in handy.Having said that, I have to make it clear that functions like
SuspendThread() and SetThreadContext() are NOT
meant for the general-purpose use, and, indeed, have a hight potential for
causing havoc if used improperly.
For example, consider what happens if you suspend a thread at he moment it
owns a critical section…
Yep, that’s the simple scenario. Even then, most of my students have
trouble because they’ve never seen concurrency locks until my course.
I’ve had to sometimes get two students to “act out” the deadlock scenario.
And it’s the simplest example. Recursive lock acquisition is another
thing they have trouble dealing with.
After 35 years of teaching software, I’ve learned a lot about how to keep
it simple.
joe
Anton Bassov
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
True. But there are ways to prevent running code from dismountable
devices. AFAIK, Windows no longer supports FAT on disks. A mechanism
that pretends to simulate ACLs but is not a complete simulation is not
going to work. Doing this on CreateThread or CreateProcess seems to be
precisely the wrong place to do it. CreateFile, when the file is opened,
would make more sense. CreateThread doesn’t even make sense, because it
took me perhaps ten seconds to figure out how to bypass this check.
Coupling the test to the file name means I would spend two seconds
discovering a trivial way to bypass this.
joe
I belive ACLS are not supported on all file systems, right ?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Joe, I believe the OP explicitly indicated that they are dealing with well-behaved software. Not that it justifies the original SuspendThread approach. I’m just saying that your musings on how you would overcome this protection in 2 seconds, 10 seconds, or 60 seconds - are not 100% relevant for the OP’s scenario.
—
Sent from Mailbox for iPhone
On Fri, Aug 2, 2013 at 9:04 AM, null wrote:
> True. But there are ways to prevent running code from dismountable
> devices. AFAIK, Windows no longer supports FAT on disks. A mechanism
> that pretends to simulate ACLs but is not a complete simulation is not
> going to work. Doing this on CreateThread or CreateProcess seems to be
> precisely the wrong place to do it. CreateFile, when the file is opened,
> would make more sense. CreateThread doesn’t even make sense, because it
> took me perhaps ten seconds to figure out how to bypass this check.
> Coupling the test to the file name means I would spend two seconds
> discovering a trivial way to bypass this.
> joe
>> I belive ACLS are not supported on all file systems, right ?
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
> —
> NTDEV is sponsored by OSR
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
> OSR is HIRING!! See http://www.osr.com/careers
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
If software is well-behaved, there is no need to create something like
this. If it is not well-behaved, as the message about preventing malware
suggests, then SuspendThread is the wrong answer. I was basing my
comments on the followup message about preventing malware from executing
by suspending the thread, a situation which is far too late to matter,
anyway.
joe
Joe, I believe the OP explicitly indicated that they are dealing with
well-behaved software. Not that it justifies the original SuspendThread
approach. I’m just saying that your musings on how you would overcome this
protection in 2 seconds, 10 seconds, or 60 seconds - are not 100% relevant
for the OP’s scenario.Â
—
Sent from Mailbox for iPhoneOn Fri, Aug 2, 2013 at 9:04 AM, null wrote:
>
>> True. But there are ways to prevent running code from dismountable
>> devices. AFAIK, Windows no longer supports FAT on disks. A mechanism
>> that pretends to simulate ACLs but is not a complete simulation is not
>> going to work. Doing this on CreateThread or CreateProcess seems to be
>> precisely the wrong place to do it. CreateFile, when the file is
>> opened,
>> would make more sense. CreateThread doesn’t even make sense, because it
>> took me perhaps ten seconds to figure out how to bypass this check.
>> Coupling the test to the file name means I would spend two seconds
>> discovering a trivial way to bypass this.
>> joe
>>> I belive ACLS are not supported on all file systems, right ?
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>> —
>> NTDEV is sponsored by OSR
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>> OSR is HIRING!! See http://www.osr.com/careers
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>and one of the project involved using red potassium, a chemical so toxic that 0.2mg is the adult lethal dosage (not LD50, the dosage with 50% lethality, but LD100).
If you mean red potassium dichromate, it’s just one of components used in photofilm processing, and was routinely sold for such purpose.
>>and one of the project involved using red potassium, a chemical so toxic
> that 0.2mg is the adult lethal dosage (not LD50, the dosage with 50%
> lethality, but LD100).If you mean red potassium dichromate, it’s just one of components used in
photofilm processing, and was routinely sold for such purpose.
No, this was a pyrotechnic display, and I can’t recall if it was red or
white phosphorous, but the instructions emphasized the lethality.
And being a photochemical is not a mark of safety; the standard “sepia
toning” solution used potassium cyanide.
We had a murder here where the husband, who is the suspect, ordered
potassium cyanide, had it delivered to his office by FedEx, and signed for
it. He could have gone to any of the photo shops in the city, bought some
sepia toner solution, and achieved the effect he is accused of; his wife
died of cyanide poisoning, beyond any question. (If you’re going to
commit a capital crime which can have the death penalty attached, don’t
leave a paper trail…)
joe
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>the standard “sepia toning” solution used potassium cyanide
No, that was potassium ferrocyanide, which is surprisingly non-toxic (according to Wikipedia). Another component was a sulfide, and the result was that silver was converted to the sepia-colored silver sulfide.
Correct. But as your software can only make sense in a controlled
environment, you could simply stipulate that NTFS must be used and use group
policy to disable execution from removable media (hint, search for autorun
group policy settings).
Then your software can be reduced to a monitoring agent that runs to ensure
that the ACLs are correctly applied to the files of interest (all .exe files
on c:\ for instance) and alerts / corrects the situation if it changes
wrote in message news:xxxxx@ntdev…
I belive ACLS are not supported on all file systems, right ?
Hello Everybody,
let me make a few comments:
I have to support everything since 2003/xp + embedded. w2k would be better if doable. NT4 is wished for too. Please don’t discuss with me if this makes sense. That is what my product manager wants and my requirements sheet says. And this is what I will get rated and paid for. Resistance is futile - i tried.
I have to support FAT and removables and network. So ACLS are not practical.
for Everything since visa-sp1 I have an optimal solution: PsSetCreateProcessNotifyRoutineEx(). CrateProcessAsUser() has the correct token here and on top of it there is an official mechanism to cancel the process creation in the notifyroutineex.
If you use your debugger you see that it works like this in w2k3:
It’s not going to be very popular with other people on this list ;-), but you could consider Windows hooks or even AppInit_DLLs. That would allow you to execute code within the process context and terminate it if policy dictates.
On Sat, Aug 3, 2013 at 10:46 AM, null
wrote:
> Hello Everybody,
> let me make a few comments:
> 1. I have to support everything since 2003/xp + embedded. w2k would be better if doable. NT4 is wished for too. Please don’t discuss with me if this makes sense. That is what my product manager wants and my requirements sheet says. And this is what I will get rated and paid for. Resistance is futile - i tried.
> 2. I have to support FAT and removables and network. So ACLS are not practical.
> 3. for Everything since visa-sp1 I have an optimal solution: PsSetCreateProcessNotifyRoutineEx(). CrateProcessAsUser() has the correct token here and on top of it there is an official mechanism to cancel the process creation in the notifyroutineex.
> 4. If you use your debugger you see that it works like this in w2k3:
> —
> NTDEV is sponsored by OSR
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
> OSR is HIRING!! See http://www.osr.com/careers
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer