Hi,
I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine.
I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process.
So far I've used PsIsProtectedProcess and PsIsProtectedProcessLight in order to detect protected processes.
However, it appears that there are some processes such as smss.exe and crss.exe and wininit.exe that are defined as critical processes and I also wish to avoid them.
Perhaps anybody knows that difference between protected and critical process, and how can i detect critical process programmatically from kernel-mode (maybe it has ad-hoc field in EPROCESS ? )
thanks,
I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine.
I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process.
So far I've used PsIsProtectedProcess and PsIsProtectedProcessLight in order to detect protected processes.
However, it appears that there are some processes such as smss.exe and crss.exe and wininit.exe that are defined as critical processes and I also wish to avoid them.
Perhaps anybody knows that difference between protected and critical process, and how can i detect critical process programmatically from kernel-mode (maybe it has ad-hoc field in EPROCESS ? )
thanks,
