Record & prevent process creation in kernel mode
Record & prevent process creation in kernel mode
PsSetCreateProcessNotifyRoutineEx
to register a routine. PsSetCreateProcessNotifyRoutine
has limited functionality.PsSetCreateProcessNotifyRoutineEx
requires the image that contains the callback pointer to have IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
set in its image header. Otherwise, the function call will return STATUS_ACCESS_DENIED
. (https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex#return-value) To do this, add /integritycheck
in linker parameters. (https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx)PCUNICODE_STRING
using DbgPrint
, use %wZ
format specifier.StartService
will give an error code 1275, which is "This driver has been blocked from loading". When you meet this error, think about architecture first, then think about if the system is really blocking it from loading.DriverObject->DriverUnload
in DriverEntry, or the driver won't be unloaded correctly. Some drivers I previously wrote didn't do this, so those drivers can't unload correctly. If the driver is not unloaded correctly, you won't be able to load it for a second time and CreateService
will give an error code 1073, which is "The specified service already exists".DriverEntry
doesn't return STATUS_SUCCESS
, user mode process that called StartService
will receive an error even the code in the driver is executed.CreateInfo
parameter in PcreateProcessNotifyRoutineEx
routine. (https://webcache.googleusercontent.com/search?q=cache:4vxTVzmlrd4J:https://bitnuts.de/articles/blocking_process_creation_using_a_windows_kernel_driver.html+&cd=11&hl=en&ct=clnk&gl=ca) e.g.CreateInfo->CreationStatus = STATUS_ACCESS_DENIED;
CreationStatus
will cause a error popup when you trying to create a new process. To avoid a error message popup, we can set CreateInfo0>CreationStatus
to STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
. (https://blog.csdn.net/a907763895/article/details/52863952)Finally I figured it out how to use Windbg... (I am too stupid XD)
bcdedit /dbgsettings net hostip:w.x.y.z port:n
(https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection#setting-up-the-target-computer)DbgPrint
prints nothing: Enter ed nt!KD_DEFAULT_MASK 8
in Windbg to enable verbose output. (https://reverseengineering.stackexchange.com/questions/16685/how-can-i-receive-dbgprint-messages-in-windbg-on-windows-10)x /D xx!yy
to show symbols..sympath+ folder
, then .reload
!process
to list processes. !process PID verbose_level
Now I finally figured it out how to prevent process creation in Windows 10 x64. I am going to figure it out how to prevent file creation / deletion using kernel mode driver. I will need to learn more about file system minifilter. After doing that, I may make a simple driver that communicates with my user-mode process to show warnings when it detects process creation and file creation.