8

I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine.

I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process.

So far I've used PsIsProtectedProcess and PsIsProtectedProcessLight in order to detect protected processes.

However, it appears that there are some processes such as smss.exe and crss.exe and wininit.exe that are defined as critical processes and I also wish to avoid them.

Perhaps anybody knows that difference between protected and critical process, and how can I detect critical process programmatically from kernel-mode (maybe it has ad-hoc field in EPROCESS ? )

thanks,

Improve this question

1 Answer 1

Reset to default
6

It seems the correct term is Critical System Service. There are API from userland but I can't find anything for the kernel. So I took a quick look into the RstrtMgr.dll and it seems the list is actually hardcoded...

For the processes:

  • system32\csrss.exe
  • system32\smss.exe
  • system32\lsass.exe
  • system32\wininit.exe
  • system32\logonui.exe
  • system32\services.exe
  • system32\winlogon.exe

For the services (specific case for svchost.exe):

  • BrokerInfrastructure
  • DcomLaunch
  • LSM
  • Power
  • RpcEptMapper
  • RpcSs
  • SamSs

There is probably another way to achieve that. After all, Windows BSOD if one of these processes is killed.

Edit: It seems nt!EPROCESS::BreakOnTermination is what you're looking for. The real field is nt!EPROCESS::Flags and the mask 0x2000. If this bit is set, PspExitThread will BSOD with CRITICAL_PROCESS_DIED.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.