waliedassar

PspProcessOpen

Nov 8th, 2013
899
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.63 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //The "nt!PspOpenProcess" function is currently only used for filling the
  5. //"OpenProcedure" field of the "_OBJECT_TYPE_INITIALIZER" substructure of
  6. //the "_OBJECT_TYPE" structure. ---> nt!PsProcessType->TypeInfo.OpenProcedure
  7.  
  8. //The "PspProcessOpen" function is called by the "nt!ObpIncrementHandleCountEx"
  9. //function as part of the "nt!ObpCreateHandle" function.
  10.  
  11. //The function's main duty is to sanitise requested access rights on protected
  12. //processes (DRM scheme) whenever the "OpenProcess/NtOpenProcess" functions are
  13. //called to get the handle of a protected process. Only If the caller process
  14. //is itself protected, then no sanitisation is conducted.
  15.  
  16. //Also, it makes sure that the new "PROCESS_QUERY_LIMITED_INFORMATION" access
  17. //right is added whenever only PROCESS_QUERY_INFORMATION is requested.
  18.  
  19. int PspProcessOpen(void*    Dummy,
  20.                    BOOL     CheckDRM,
  21.            _EPROCESS* pCallerProcess,
  22.            _EPROCESS* pCalleeProcess,
  23.                unsigned long* pRequestedAccessRights)
  24. {
  25.  
  26.     if( CheckDRM == TRUE  && pCallerProcess->Flags2.ProtectedProcess==FALSE)
  27.     {
  28.      if(pCalleeProcess->Flags2.ProtectedProcess)
  29.      {
  30.             //For actions on protected processes, only PROCESS_TERMINATE,
  31.             //PROCESS_SUSPEND_RESUME, PROCESS_QUERY_LIMITED_INFORMATION,
  32.             //and SYNCHRONIZE are allowed.
  33.             if(*pRequestedAccessRights && 0xFE7FE)
  34.                   return STATUS_ACCESS_DENIED;
  35.     }
  36.      }
  37.      
  38.      if( *pRequestedAccessRights & PROCESS_QUERY_INFORMATION)
  39.         *pRequestedAccessRights |= PROCESS_QUERY_LIMITED_INFORMATION;
  40.        
  41.      return 0;
  42. }
Add Comment
Please, Sign In to add comment