[ntstatus]

Hi, I've protected a usermode process using ObRegisterCallbacks and I strip all the handles to prevent dll injection from usermode and it works fine if I load my driver after the process is started but if I load my driver first and then start the process it won't start because it's stripping the handles.

So my question is how would one filter out all other processes but the host process itself and only deny opening handles to other processes ?

[EP_X0FF]

Whitelist it by eprocess for example, when loading your driver call it and remember eprocess.

[ntstatus]

Here is my current code:

Code: Select all

OB_PREOP_CALLBACK_STATUS ObPreCallback ( _In_ PVOID RegistrationContext, _Inout_ POB_PRE_OPERATION_INFORMATION pOperationInformation )
{
	UNREFERENCED_PARAMETER ( RegistrationContext );

	LPSTR szProcName = GetProcessNameByProcessID ( PsGetProcessId ( pOperationInformation->Object ) );

	if ( strstr ( szProcName, "calc.exe" ) )
	{
		TdProtectedTargetProcess = ( PEPROCESS ) pOperationInformation->Object;;
		TdProtectedTargetProcessId = PsGetProcessId ( pOperationInformation->Object );
	}

	if ( !TdProtectedTargetProcess || !TdProtectedTargetProcessId )
	{
		return OB_PREOP_SUCCESS;
	}

	if ( pOperationInformation->KernelHandle )
		return OB_PREOP_SUCCESS;

	if ( pOperationInformation->ObjectType == *PsProcessType )
	{
		if ( TdProtectedTargetProcess != pOperationInformation->Object )
		{
			return OB_PREOP_SUCCESS;
		}

		if ( pOperationInformation->Object == PsGetCurrentProcess ( ) )
		{
			return OB_PREOP_SUCCESS;
		}
	}

	switch ( pOperationInformation->Operation )
	{
	case OB_OPERATION_HANDLE_CREATE:
		pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = ( SYNCHRONIZE );
		break;
	}

	return OB_PREOP_SUCCESS;
}

It successfully stops dll injection but the application won't start if I load my driver before starting calc.exe