Reputation: 41
Intercepting process execution in a NT driver
I have developed a driver for Windows XP which is able to monitor the execution of processes.
A callback function receives the notifications using standard WDK API (PsSetCreateProcessNotifyRoutine).
The driver then decides if the process should be authorized or not; if not, it must block its execution/kill it.
What is the cleanest way to intercept execution that way? I do not mind if it is not documented, but I would rather not resort to hooking, if possible.
Upvotes: 3
Views: 2160
Answers (2)
Reputation: 1057
PsSetCreateProcessNotifyRoutineEx (Vista+) will allow you to cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.
Upvotes: 1
Reputation: 41
Ok, according to this document:
I need to install a minifilter for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for PageProtection == PAGE_EXECUTE.
Upvotes: 1
Related Questions
- Monitoring certain system calls done by a process in Windows
- Retrieving command line argument of process at driver level
- Intercept Process Access using a Windows MiniFilter Driver
- Capture output from unrelated process
- Windows: redirect ReadFile to run process and pipe it's stdout
- Process monitoring CreateProcessNotifyRoutineEx
- Two-way interaction between user-mode app and kernel-mode driver?
- Create a process from a driver
- Windows drivers - communicate with user process
- Windows Process Descriptor