Intercepting process execution in a NT driver

Question

I have developed a driver for Windows XP which is able to monitor the execution of processes. A callback function receives the notifications using standard WDK API (PsSetCreateProcessNotifyRoutine).

The driver then decides if the process should be authorized or not; if not, it must block its execution/kill it.

What's the cleanest way to intercept execution that way ? I don't mind if it's not documented, but I'd rather not resort to hooking, if possible.

Answer 1

Ok, according to this document:

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

I need to install a minifilter for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for PageProtection == PAGE_EXECUTE.

Answer 2

PsSetCreateProcessNotifyRoutineEx (Vista+) will allow you to cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.