PspProcessOpen

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. //The "nt!PspOpenProcess" function is currently only used for filling the
5. //"OpenProcedure" field of the "_OBJECT_TYPE_INITIALIZER" substructure of
6. //the "_OBJECT_TYPE" structure. ---> nt!PsProcessType->TypeInfo.OpenProcedure
7.  
8. //The "PspProcessOpen" function is called by the "nt!ObpIncrementHandleCountEx"
9. //function as part of the "nt!ObpCreateHandle" function.
10.  
11. //The function's main duty is to sanitise requested access rights on protected
12. //processes (DRM scheme) whenever the "OpenProcess/NtOpenProcess" functions are
13. //called to get the handle of a protected process. Only If the caller process
14. //is itself protected, then no sanitisation is conducted.
15.  
16. //Also, it makes sure that the new "PROCESS_QUERY_LIMITED_INFORMATION" access
17. //right is added whenever only PROCESS_QUERY_INFORMATION is requested.
18.  
19. int PspProcessOpen(void*    Dummy,
20.                    BOOL     CheckDRM,
21.            _EPROCESS* pCallerProcess,
22.            _EPROCESS* pCalleeProcess,
23.                unsigned long* pRequestedAccessRights)
24. {
25.  
26.     if( CheckDRM == TRUE  && pCallerProcess->Flags2.ProtectedProcess==FALSE)
27.     {
28.      if(pCalleeProcess->Flags2.ProtectedProcess)
29.      {
30.             //For actions on protected processes, only PROCESS_TERMINATE,
31.             //PROCESS_SUSPEND_RESUME, PROCESS_QUERY_LIMITED_INFORMATION,
32.             //and SYNCHRONIZE are allowed.
33.             if(*pRequestedAccessRights && 0xFE7FE)
34.                   return STATUS_ACCESS_DENIED;
35.     }
36.      }
37.      
38.      if( *pRequestedAccessRights & PROCESS_QUERY_INFORMATION)
39.         *pRequestedAccessRights |= PROCESS_QUERY_LIMITED_INFORMATION;
40.        
41.      return 0;
42. }