bitnuts.de logo   Downloads About Contact

Blocking Process Creation using a Windows Kernel Driver

Since I have published monitoring drivers that are able to detect process creation and executable image mapping etc. I was often asked, if I could publish some code examples on how to do dectection or filtering of executable code. In this post I will not publish a complete monitoring driver skeleton but give you everything you need to start your first own project.

To filter out process creation, Microsoft Windows supports a simple callback function called PsSetCreateProcessNotifyRoutineEx. This routine registers or removes a callback routine that notifies the caller (your driver's code) when a process is created or exits. Just register a create process notify routine and return a failure CreationStatus from the callback for a creation notification.

Regarding the specifications on MSDN, see PsSetCreateProcessNotifyRoutineEx:

VOID CreateProcessNotifyEx(
	_Inout_	 PEPROCESS Process,
	_In_		HANDLE ProcessId,
	_In_opt_	PPS_CREATE_NOTIFY_INFO CreateInfo
);

where

Microsoft states:

For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

What we are interested in is

typedef struct _PS_CREATE_NOTIFY_INFO { ... }

Use parameter CreationStatus and return some error status code like STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT or STATUS_ACCESS_DENIED if you want to block process creation. For more status codes see http://msdn.microsoft.com/en-us/library/cc704588.aspx. If you want to filter out process creation like in an AppLocker-approach you must decide which executables are allowed to run on the machine and which are not. For example in AppLocker you can choose between registred path- and file names or a hash value of a given executable. You can also use a link between your driver and an user-mode application that asks the user, if an executable is allowed to run like in Trust-No-Exe (an executable filter driver for Windows XP - see Trust-No-Exe). There are plenty of ways, but I think the simplest way is doing it like in AppLocker: Just use file- and path names or hash values in a whitelist.

You can download a sample driver I have discussed on DevSec() 2018 right here.