I am new to kernel and c++ development, but I am trying to develop a handler test in which the PROCESS_SUSPEND_RESUME flag of OperationInformation->Parameters->CreateHandleInformation.DesiredAccess can be removed in the pre-operation routine for a specific process (notepad.exe )
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~0x0001;
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~0x0800;
KdPrint(("[OperationInformation->Operation]: OB_OPERATION_HANDLE_CREATE\r\n"));
}
I can remove the flag 0x0001 which is PROCESS_TERMINATE and 0x0800 which is PROCESS_SUSPEND_RESUME but when the process is created it stays suspended forever.
My goal for the test is to run notepad.exe normally and prevent the process from being suspended or terminated.
I am using Visual Studio 2019 on the host computer. The physical target PC and host are running Windows 10 1909
I found an easy solution. Simply run notepad.exe and then instruct kernel driver to remove these flag (0x0800). Notepad.exe could not be suspended or resumed