If you want to avoid hooking and achieve this from kernel mode then (assuming VISTA+) you should use ObRegisterCallbacks() as already mentioned by a few people here. You'll not simply want to deny access to handles "created" by OpenProcess and OpenThread (NtOpenProcess/NtOpenThread) but also "duplicated" with DuplicateHandle (NtDuplicateObject) which I've yet to see mentioned in this thread, both are equally important! Downside to this is that if a handle with PROCESS_VM_WRITE access was acquired before callback installation this technique is meaningless. But then again, that would be the same case with how early a hook could be set too
// Deny PROCESS_VM_WRITE access
ObjectPreCallback(...)
// Assumes process callback is installed
// Deny PROCESS_VM_WRITE access
ObjectPreCallback(...)
// Assumes process callback is installed
Code: Select all
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
// ...
if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
// ...
if ((OperationInformation->Parameters->DuplicateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
Accept nothing less than STATUS_SUCCESS
