This article describes a simple solution that will help you to clear out the principles of how Windows system starts processes and show how you can set some filters for process start, including allowing and forbidding them.

Written by:

Sergii Bratus,
Senior Software Developer of Network Security Team

Contents:

Introduction
Code Usage
Project Structure
The Scheme of Process Loading
Tech Aspects
User Mode
Process Start
Sample installation and work
Conclusion
Additional Information
References

Introduction

Our goal is to develop an application that will install the driver to monitor process start. At each new process start, the driver notifies the user-mode application about this action providing it with the process PID and process name, requesting if allow or deny this process start. While this communication, the process is in the waiting state and does not start to work.

This solution would be interesting for the junior developers, beginners in process programming, who want to learn in detail driver development and driver – user mode interaction. It will be also useful for the developers of monitoring applications and corporate security systems.

Code Usage

The code included to this article is just an illustration of the process blocking technique and is not a commercial solution ready to be used in the real-life projects.

Project Structure

.\bin - folder with binary files
.\lib - folder with library files
.\obj - folder with object files
.\ procmon - folder with source files
|-> .\Common – Common files and projects
|-> .\DrvCppLib          - Kernel Library to develop driver in C++.
|-> .\ DrvSTLPort        - Directory with STLPort 4.6 ported for
using in windows drivers.
|-> .\ includes          - Includes that are common for user and driver
|-> .\ processdll           - Main DLL that has all API
|-> .\ procmon              - Driver project
|-> .\ ProcMonGUI           - GUI that is written using MFC

Project supports both x86 and x64 architectures and includes all necessary build configurations.

How system loads a process

To create a Windows-process, one of such functions is called: CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW or CreateProcessWithLogonW. Creation consists of several steps performed by three OS components: Kernel32.dll (library of client part of Windows), performing system and Windows environment subsystem process (Csrss). As Windows architecture supports several environment subsystems, the operations needed to create the “process” object of performing system (which can be then used by other environment subsystems) are separated from the operations needed to create Windows-process. That is why a part of actions of the CreateProcess Windows function is specific for the semantics introduced by Windows.

Below, there is a list of basic steps of process creation by means of the CreateProcess Windows function.

1. The image file (EXE) is opened; it is the file that will be executed in the process.
2. The “process” object of performing system is created.
3. The initial thread is created (stack, context and the “thread” object of performing system).
4. Windows subsystem gets notification about the creation of the new process and thread.
5. The initial thread is started (if the CREATE_SUSPENDED flag is not set).
6. In the context of the new process and thread, the address space is initialized (e.g. necessary DLLs are loaded) and then the program starts.

You can learn more details about process start scheme in the Mark Russinovich’s book named “Microsoft Windows Internals”.

The interesting feature of the process creation and loading technology is notifications. Driver developers can subscribe to the notifications about process creation and about mapping of the image files to the memory.

The first notification is sent each time when the system creates a process, the second one – each time when the system maps an image file. And this file can be both the executive file and the DLL.

By means of these notifications, our driver gets to know about the start of the new process and can inform our application about it. The mechanism of the transferring the information to the user mode is described below.

The complete article text is available only for the registered users. Please Log In or Register.