Page 1 of 1

Filtering PreCallback

PostPosted:Sun Oct 27, 2019 2:01 pm
by ntstatus
Hi, I've protected a usermode process using ObRegisterCallbacks and I strip all the handles to prevent dll injection from usermode and it works fine if I load my driver after the process is started but if I load my driver first and then start the process it won't start because it's stripping the handles.

So my question is how would one filter out all other processes but the host process itself and only deny opening handles to other processes ?

Re: Filtering PreCallback

PostPosted:Mon Oct 28, 2019 8:40 am
by EP_X0FF
Whitelist it by eprocess for example, when loading your driver call it and remember eprocess.

Re: Filtering PreCallback

PostPosted:Thu Oct 31, 2019 6:33 am
by ntstatus
Here is my current code:
Code: Select all
OB_PREOP_CALLBACK_STATUS ObPreCallback ( _In_ PVOID RegistrationContext, _Inout_ POB_PRE_OPERATION_INFORMATION pOperationInformation )
{
	UNREFERENCED_PARAMETER ( RegistrationContext );

	LPSTR szProcName = GetProcessNameByProcessID ( PsGetProcessId ( pOperationInformation->Object ) );

	if ( strstr ( szProcName, "calc.exe" ) )
	{
		TdProtectedTargetProcess = ( PEPROCESS ) pOperationInformation->Object;;
		TdProtectedTargetProcessId = PsGetProcessId ( pOperationInformation->Object );
	}

	if ( !TdProtectedTargetProcess || !TdProtectedTargetProcessId )
	{
		return OB_PREOP_SUCCESS;
	}

	if ( pOperationInformation->KernelHandle )
		return OB_PREOP_SUCCESS;

	if ( pOperationInformation->ObjectType == *PsProcessType )
	{
		if ( TdProtectedTargetProcess != pOperationInformation->Object )
		{
			return OB_PREOP_SUCCESS;
		}

		if ( pOperationInformation->Object == PsGetCurrentProcess ( ) )
		{
			return OB_PREOP_SUCCESS;
		}
	}

	switch ( pOperationInformation->Operation )
	{
	case OB_OPERATION_HANDLE_CREATE:
		pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = ( SYNCHRONIZE );
		break;
	}

	return OB_PREOP_SUCCESS;
}
It successfully stops dll injection but the application won't start if I load my driver before starting calc.exe