I need intercept loadding PE files,such as EXE,DLL,SYS.
after readed a few docs,finally found two solutions:
First solution:
1. for EXEs, use PsSetCreateProcessNotifyRoutine , check EXE in my callbak function. if need block , call ZwTerminateProcess. (the problesm is I'm really not sure wether it is stable to call ZwTerminateProcess in callback routine)
2. for DLLs and SYSs,use PsSetLoadImageNotifyRoutine , if need block , copy <xor eax,eax; ret 0xC> to DllMain or <mov eax,status_access_denied , ret > to DriverEntry. I use MDL to make DLLMAIN writeable , but I found once I patched the DLLMain , the Patch always work , even unload my driver ,unless reboot the system. I tried to use NtProtectVirtualMemory to make DLLMAIN writeable, but sometimes it will cause system hungs or BSOD. I found reason on MSDN : in ImageLoad callback, can't perform operatings on usermode memory.
Second solution:
use minifilter , check file in IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION. I think it's the best solution,because of Good compatibility and stable.
But I also got a problem :
Some common file operations also fire this irp, such as GetFileVersionInfo ,and extracticon , and all these operations open file with PAGE_EXECUTE flag .
I had think about using RtlWalkFrameChain to check whether the call comes from NTDLL!LdrLoadDll.
But I want to known is there any better ideals to determine whether it's An Actually PE Execute Operations?
Do you have any better solutions or suggestions ? :cry:
after readed a few docs,finally found two solutions:
First solution:
1. for EXEs, use PsSetCreateProcessNotifyRoutine , check EXE in my callbak function. if need block , call ZwTerminateProcess. (the problesm is I'm really not sure wether it is stable to call ZwTerminateProcess in callback routine)
2. for DLLs and SYSs,use PsSetLoadImageNotifyRoutine , if need block , copy <xor eax,eax; ret 0xC> to DllMain or <mov eax,status_access_denied , ret > to DriverEntry. I use MDL to make DLLMAIN writeable , but I found once I patched the DLLMain , the Patch always work , even unload my driver ,unless reboot the system. I tried to use NtProtectVirtualMemory to make DLLMAIN writeable, but sometimes it will cause system hungs or BSOD. I found reason on MSDN : in ImageLoad callback, can't perform operatings on usermode memory.
Second solution:
use minifilter , check file in IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION. I think it's the best solution,because of Good compatibility and stable.
But I also got a problem :
Some common file operations also fire this irp, such as GetFileVersionInfo ,and extracticon , and all these operations open file with PAGE_EXECUTE flag .
I had think about using RtlWalkFrameChain to check whether the call comes from NTDLL!LdrLoadDll.
But I want to known is there any better ideals to determine whether it's An Actually PE Execute Operations?
Do you have any better solutions or suggestions ? :cry:
