A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32707  by Iradicator
 Wed Mar 20, 2019 2:44 pm

I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine.

I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process.

So far I've used PsIsProtectedProcess and PsIsProtectedProcessLight in order to detect protected processes.

However, it appears that there are some processes such as smss.exe and crss.exe and wininit.exe that are defined as critical processes and I also wish to avoid them.

Perhaps anybody knows that difference between protected and critical process, and how can i detect critical process programmatically from kernel-mode (maybe it has ad-hoc field in EPROCESS ? )

 #32709  by EP_X0FF
 Thu Mar 21, 2019 8:29 am
"Critical process" is the process that upon unexpected termination breaks into kernel debugger if it present or simple cause bugcheck with "critical process terminated" message if dbg not present.

This is stored in ERPOCESS flags as PS_PROCESS_FLAGS_BREAK_ON_TERMINATION value. You can query this value by ZwQueryInformationProcess(ProcessBreakOnTermination).

Except "Critical process" there also exist "Critical thread" ZWQIT(ThreadBreakOnTermination), works the same way, flag stored in ETHREAD.