Ray
Tue Mar 22 12:04:21 CST 2005
Well, leaving aside for the moment that the documentation for
PsSetLoadImageNotifyRoutine says that it calls the callback *before* the
image executes, I would *still* tend to think that writing a file system
filter driver would be preferable to hooking ZwOpenFile. That's how
virus scanners are supposed to do this.
Also, I'm curious how you're going to validate that the exe/dll should
be allowed to run. By filename? Uhh... those can be changed quite
easily. If you're planning on checksumming the file, don't you have to
open it yourself, leading to an infinite loop :-)?
Nadav wrote:
> ThanX for your response, usage of
> 'PsSetCreateProcessNotifyRoutine/PsSetLoadImageNotifyRoutine' is possible BUT
> usage it will not enable termination of the process creation flow, hence,
> execution of the process may not be prevented, rather, TerminateProcess may
> be called just after the process was created and this mechanism cannot
> Guarantee that the process will not run at all...
> Causing the ZwOpenFile to return failure will...
> P.S.
> What is the best way of notifying the application layer of certain
> asynchronous events such as process creation [???]
>
> Nadav.
>
> "Gabriel Bogdan" wrote:
>
>
>>Look at :
>>PsSetCreateProcessNotifyRoutine/PsSetLoadImageNotifyRoutine
>>
>>"Nadav" <Nadav@discussions.microsoft.com> wrote in message
>>news:8F43DB01-C08C-46D9-BA84-1676D84DC368@microsoft.com...
>>
>>>Hi,
>>>
>>>Introduction:
>>>***********
>>>I am writing a kernel level process execution watchdog, this watchdog
>>>intercept process creation and DLL loading and verify that the PE is
>>
>>allowed
>>
>>>to run.
>>>The verification process should be done at the application layer, hence,
>>
>>the
>>
>>>hook driver will intercept the call in the kernel and will ask the
>>>application layer if the PE is allowed to run.
>>>
>>>Some questions concerning the flow just described
>>>******************************************
>>>preventing a PE from being loaded involve hooking to the Kernel service
>>>table and injecting a ZwOpenFile detour that will verify with the
>>
>>application
>>
>>>layer if a certain PE is allowed to run, the context that originally
>>
>>called
>>
>>>ZwOpenFile should block until a responce is returned...
>>>[*] Concerning the ZwOpenFile calling thread, does it a Kernel thread or
>>
>>an
>>
>>>application thread? does the thread is related to the kernel thread pool?
>>
>>In
>>
>>>that case shouldn't blocking a thread related to the kernel thread pool
>>
>>cause
>>
>>>threads depletion?
>>>What would be the best way to implement such a mechanism? I would rather
>>>make the kernel layer as thin as possible... ( does this the correct
>>>approach? )
>>>[*] Is there an API better then ZwOpenFile to intercept for receving DLL,
>>>EXE execution/loading ?
>>>--
>>>Nadav
>>>
http://www.sophin.com
>>
>>
>>
--
../ray\..