Performing the interception process in the NT driver

Question

Performing the interception process in the NT driver

I developed a driver for Windows XP that is able to control the execution of processes.

The callback function receives notifications using the standard WDK API (PsSetCreateProcessNotifyRoutine).

The driver then decides whether the process should be allowed or not; if not, he must block his execution / kill him.

What is the cleanest way to intercept execution this way? I do not mind if this is not documented, but I would prefer not to resort to connection, if possible.

+3

windows process driver

Denis Jun 21 '10 at 10:15

source share

2 answers

Denis · Answer 1 · 2010-06-21T16:23:58+0000

Ok, according to this document:

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

minifilter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION PageProtection == PAGE_EXECUTE.

Karl Strings · Answer 2 · 2010-07-23T06:14:43+0000

PsSetCreateProcessNotifyRoutineEx (Vista +) , CreateInfo- > CreationStatus NTSTATUS.

Performing the interception process in the NT driver

More articles: