Search code examples
windowsdriver

How to find out which process sent the request?

I am writing a process access filter through ObRegisterCallbacks.

OB_PREOP_CALLBACK_STATUS PreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
    UNREFERENCED_PARAMETER(RegistrationContext);
    UNREFERENCED_PARAMETER(pOperationInformation);


    PEPROCESS OpenedProcess = (PEPROCESS)pOperationInformation->Object,
        CurrentProcess = PsGetCurrentProcess();

    char szProcName[16] = { 0, };
    strcpy_s(szProcName, 16, ((DWORD64)pOperationInformation->Object + iOffset.ImageFileName_off));

    UINT64* id = (UINT64*)((DWORD64)pOperationInformation->Object + iOffset.UniqueProcessid_off);
    //PEPROCESS ProtectedProcess;
    //PsLookupProcessByProcessId(*id, &ProtectedProcess); // Getting the PEPROCESS using the PID 


    if (!_strnicmp(szProcName, "notepad.exe", 16))
    {
        if ((pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE))
        {
            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
            {
                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
            }

            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
            {
                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
            }

            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
            {
                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
            }

            if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
            {
                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
            } 
        }
    }

    return OB_PREOP_SUCCESS;
}

If you start the driver after starting the program, everything is fine. If the program is started after the driver starts, the program hangs. I assume that the program cannot get a HANDLE on itself.

How to find out who sent the request? How to find out the PID of the process that sent the request?

Solution

  • In this callback, the current context is the operation requester.

    Just call PsGetCurrentProcess and PsGetCurrentProcessId to get the PEPROCESS and Id of the current context.