I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine
.
I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process.
So far I've used PsIsProtectedProcess
and PsIsProtectedProcessLight
in order to detect protected processes.
However, it appears that there are some processes such as smss.exe
and crss.exe
and wininit.exe
that are defined as critical processes and I also wish to avoid them.
Perhaps anybody knows that difference between protected and critical process, and how can I detect critical process programmatically from kernel-mode (maybe it has ad-hoc field in EPROCESS ? )
thanks,