A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #33234  by ntstatus
 Sun Oct 27, 2019 2:01 pm
Hi, I've protected a usermode process using ObRegisterCallbacks and I strip all the handles to prevent dll injection from usermode and it works fine if I load my driver after the process is started but if I load my driver first and then start the process it won't start because it's stripping the handles.

So my question is how would one filter out all other processes but the host process itself and only deny opening handles to other processes ?
 #33236  by EP_X0FF
 Mon Oct 28, 2019 8:40 am
Whitelist it by eprocess for example, when loading your driver call it and remember eprocess.
 #33246  by ntstatus
 Thu Oct 31, 2019 6:33 am
Here is my current code:
Code: Select all
OB_PREOP_CALLBACK_STATUS ObPreCallback ( _In_ PVOID RegistrationContext, _Inout_ POB_PRE_OPERATION_INFORMATION pOperationInformation )
{
	UNREFERENCED_PARAMETER ( RegistrationContext );

	LPSTR szProcName = GetProcessNameByProcessID ( PsGetProcessId ( pOperationInformation->Object ) );

	if ( strstr ( szProcName, "calc.exe" ) )
	{
		TdProtectedTargetProcess = ( PEPROCESS ) pOperationInformation->Object;;
		TdProtectedTargetProcessId = PsGetProcessId ( pOperationInformation->Object );
	}

	if ( !TdProtectedTargetProcess || !TdProtectedTargetProcessId )
	{
		return OB_PREOP_SUCCESS;
	}

	if ( pOperationInformation->KernelHandle )
		return OB_PREOP_SUCCESS;

	if ( pOperationInformation->ObjectType == *PsProcessType )
	{
		if ( TdProtectedTargetProcess != pOperationInformation->Object )
		{
			return OB_PREOP_SUCCESS;
		}

		if ( pOperationInformation->Object == PsGetCurrentProcess ( ) )
		{
			return OB_PREOP_SUCCESS;
		}
	}

	switch ( pOperationInformation->Operation )
	{
	case OB_OPERATION_HANDLE_CREATE:
		pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = ( SYNCHRONIZE );
		break;
	}

	return OB_PREOP_SUCCESS;
}
It successfully stops dll injection but the application won't start if I load my driver before starting calc.exe