Intercepting process execution in a NT driver

Question

I have developed a driver for Windows XP which is able to monitor the execution of processes.

A callback function receives the notifications using standard WDK API (PsSetCreateProcessNotifyRoutine).

The driver then decides if the process should be authorized or not; if not, it must block its execution/kill it.

What is the cleanest way to intercept execution that way? I do not mind if it is not documented, but I would rather not resort to hooking, if possible.

score 1 · Answer 1 · answered Jun 21 '10 at 16:23

Ok, according to this document:

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

I need to install a minifilter for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for PageProtection == PAGE_EXECUTE.

score 1 · Answer 2 · answered Jul 23 '10 at 06:14

1

PsSetCreateProcessNotifyRoutineEx (Vista+) will allow you to cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

answered Jul 23 '10 at 06:14

Karl Strings

1,017
9
22

Vista RTM does not support PsSetCreateProcessNotifyRoutineEx (upgrade to SP1) – unixman83 Sep 18 '11 at 16:57

Intercepting process execution in a NT driver

2 Answers2