PsSetCreateProcessNotifyRoutine

#13377 by utsav.0202
Wed May 23, 2012 7:32 am

Hi

I am developing an application control module i.e. restricting some applications from executing.
For this I registered a callback routine using PsSetCreateProcessNotifyRoutine.
In the callback routine I get the process ID using which I decide whether to allow the process or not.
If I don't have to allow the process I set the value of CreateInfo->CreationStatus of PS_CREATE_NOTIFY_INFO structure to STATUS_ACCESS_DENIED.
Everything works fine but the problem is when I prevent the process from being created the user gets a dialog box saying
"Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item"
I don't want this dialog box to be displayed.

Thanks and Regards
Utsav

Username

utsav.0202

Posts

61

Joined

Mon Apr 11, 2011 2:04 pm

Re: PsSetCreateProcessNotifyRoutine

#13378 by utsav.0202
Wed May 23, 2012 7:59 am

sorry
It's PsSetCreateProcessNotifyRoutineEx routine that I have used

Username

utsav.0202

Posts

61

Joined

Mon Apr 11, 2011 2:04 pm

Re: PsSetCreateProcessNotifyRoutine

#13381 by EP_X0FF
Wed May 23, 2012 11:21 am

How about returning any other error status code?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: PsSetCreateProcessNotifyRoutine

#13382 by utsav.0202
Wed May 23, 2012 12:36 pm

I tried STATUS_UNSUCCESSFUL
it returned "A device attached to the system is not functioning"

then I tried STATUS_THREAD_IS_TERMINATING
even then a dialog box popped.

Please help

Username

utsav.0202

Posts

61

Joined

Mon Apr 11, 2011 2:04 pm

Re: PsSetCreateProcessNotifyRoutine

#13383 by EP_X0FF
Wed May 23, 2012 1:06 pm

I'm afraid since this is system mechanism there is no documented way with this API. If you really care about this error messages then probably you should try other methods, for example sending APC with shellcode. I don't have any sample at hand.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: PsSetCreateProcessNotifyRoutine

#13386 by xqrzd
Wed May 23, 2012 4:13 pm

I think Malwarebytes does this by minifilter with IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, and then replacing file object with a dummy.

Username

xqrzd

Posts

52

Joined

Tue Mar 23, 2010 3:29 pm

Location

US

Re: PsSetCreateProcessNotifyRoutine

#13497 by Brock
Tue May 29, 2012 6:44 am

CreationStatus
The NTSTATUS value to return for the process-creation operation. Drivers can change this value to an error code to prevent the process from being created.

Errors like this are reported within the Windows OS environment, as suggested by EP_X0FF try queuing an APC to the process to have itself terminate in some fashion, by the way doing this in PsCreateProcessNotificationRoutine will not help you, look into loadimage or createthread callbacks. Preferably LoadImage callbacks, since you have pointers you will need in user space dynamically / at run-time available for you before the process entrypoint is run. Actually, what you're asking for is very simple but you're not using the best/most stable callback to terminate a process cleanly from. If you choose to use a loadimage callback images such as ntdll and kernel32 are loaded and you are notified, making your job very simple.

Accept nothing less than STATUS_SUCCESS

Username

Brock

Posts

222

Joined

Wed Apr 28, 2010 3:13 am

Location

Valparaiso, Florida USA

Contact