[10158752]

On Windows x64, when a process is protected by ObRegisterCallbacks (blocks CreateToolhelp32Snapshot, NtOpenProcess, etc), is there a way to enumerate the modules that are currently loaded in the process?

Process Hacker seems to have no problem doing this even without the use of its driver. Though it still can't terminate/suspend/etc the process.

I think you can still use SetWindowsHookEx to inject a DLL when the process is protected, but Process Hacker doesn't seem to call SetWindowsHookEx and is doing it another way.

[Vrtule]

Hello,

Object callbacks do not allow to filter read access from process access masks, so you should still be able to query state of the target process and read its memory (PROCESS_QUERY_INFORMATION, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ). It seems to me that functions like VirtualQueryEx, GetMappedFileName or EnumProcessModules should work even for processes protected via ObRegisterCallback.

Well, if we are talking about "real" protected process (a process that is considered as protected by the operating system), a handle with read access (with exception of the PROCESS_QUERY_LIMITED_INFORMATION) cannot be opened. Only SYNCHRONIZE, PROCESS_TERMINATE and PROCESS_QUERY_LIMITED_INFORMATION are allowed AFAIR.

[10158752]

For some reason I was assuming ObRegisterCallbacks could block all access.

Thanks for the help. :D