[Tigzy]

Hello

I'm trying to implement a self protection module for "one of my tools", and as this is widely used across the world I can't use any undocumented way (I mean hooks especially).
I've registred a callback notification with PsSetCreateProcessNotifyRoutine, but I found this really useless... :| , or maybe I don't know how to use it.

This callback only gives the PID of the concerned process, and we cannot act on either the creation or the termination...
We can't even get the calling process (the one who has created / terminated the process)

Anyone got a better idea to self protect a process?

[EP_X0FF]

and we cannot act on either the creation

That's isn't true. You can pass termination APC to user mode. If you are using Vista, Server 2008 or Window7 use PsSetCreateProcessNotifyRoutineEx since it has a way to terminate the process. For anything else you are using hack unfortunately.

[Tigzy]

hat's isn't true. You can pass termination APC to user mode.

Yes you're right, I've spoken quickly.
You can also just use ZwOpenProcess / ZwTerminateProcess on the PID.

---

So there's no "good way" to protect a process?
Everybody says hooks are evil, but assuming this, how AVs are doing to protect themself without that?

[EP_X0FF]

AV's using complex methods of self-protection mostly based on filters and illegal hacks for x86-32 targetting few points: not let attacker load kernel mode driver or acquiring handles/perform termination/injection/patching etc. Beginning from Vista SP1 MS started adding new interfaces which can be used for this purpose (ObCallbacks for example). And of course, nothing can protect you against driver level attack. For my point of view if 3rd party product has no full functional HIPS at board it can forget about self-protection, because it's quite useless.

[Tigzy]

For my point of view if 3rd party product has no full functional HIPS at board it can forget about self-protection, because it's quite useless.

Agreed, that will be my conclusion too.
Thanks for replying ;)