A forum for reverse engineering, OS internals and malware analysis 

Some create process notifications cannot be removed

Forum for discussion about kernel-mode development.

Some create process notifications cannot be removed

 #30874  by myid
 Mon Oct 02, 2017 1:16 am
Hi, everyone.
We all knows that we can use PsSetCreateProcessNotifyRoutine to create or remove a create process notification.
But I found that some times this function returns falied in WIN10. That is so strange.
Does anyone else have this problem?

Re: Some create process notifications cannot be removed

 #30881  by Brock
 Mon Oct 02, 2017 9:29 pm
Very possible the function is hooked as indicated by tcxyqs, malware has done this to do as he said and that is to prevent the removal of a callback it has installed so it guards it if the 2nd param of the function is set to TRUE (Removal). Anyhow, where are you calling PsSetCreateProcessNotifyRoutine() (in system context i.e> DriverEntry or other?) and what is the 2nd parameter set to, True or False?

Re: Some create process notifications cannot be removed

 #30882  by tangptr
 Tue Oct 03, 2017 5:10 am
Note that there are three kinds of create process notification callbacks since Windows 10, version 1703. These three kinds of callbacks could be respectively created by PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, or PsSetCreateProcessNotifyRoutineEx2. Those three kinds of callbacks could ONLY be removed by the function that created them. Maybe you called PsSetCreateProcessNotifyRoutineEx to remove a callback created by PsSetCreateProcessNotifyRoutineEx2. Doing so would certainly cause a failure.

Related Articles:
PsSetCreateProcessNotifyRoutine:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx2:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Re: Some create process notifications cannot be removed

 #30884  by myid
 Tue Oct 03, 2017 3:47 pm
tangptr wrote:Note that there are three kinds of create process notification callbacks since Windows 10, version 1703. These three kinds of callbacks could be respectively created by PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, or PsSetCreateProcessNotifyRoutineEx2. Those three kinds of callbacks could ONLY be removed by the function that created them. Maybe you called PsSetCreateProcessNotifyRoutineEx to remove a callback created by PsSetCreateProcessNotifyRoutineEx2. Doing so would certainly cause a failure.

Related Articles:
PsSetCreateProcessNotifyRoutine:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx2:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Thanks for your very useful information.

Re: Some create process notifications cannot be removed

 #30886  by tangptr
 Tue Oct 03, 2017 4:39 pm
myid wrote:
tangptr wrote:Note that there are three kinds of create process notification callbacks since Windows 10, version 1703. These three kinds of callbacks could be respectively created by PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, or PsSetCreateProcessNotifyRoutineEx2. Those three kinds of callbacks could ONLY be removed by the function that created them. Maybe you called PsSetCreateProcessNotifyRoutineEx to remove a callback created by PsSetCreateProcessNotifyRoutineEx2. Doing so would certainly cause a failure.

Related Articles:
PsSetCreateProcessNotifyRoutine:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
PsSetCreateProcessNotifyRoutineEx2:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Thanks for your very useful information.
So, have you solved your problem?
 Return to “Kernel-Mode Development”