Who can tell me How to modify space of process by driver program before process run RRS feed

  • Question

  • Hi,Everybody

    I realized to modify space of process by two function in R0

    PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
    KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);

    But I want to finish it Before process run
    First I used ResumeThread to stop process,But KeStackAttachProcess is failed......

    I looking forward your answer,thank you

    Friday, July 29, 2016 8:01 AM

All replies

  • Well first I assume you meant SuspendThread not ResumeThread, and that this is being done somehow in user space independent of the driver.  I guess the real question is what are you really trying to do?   

    Modifying a process is not something that should normally be done.  Most of the malware detectors will find this and flag your code as being malicious.   So what is the goal you are trying to achieve with the modification.

    Even if you have a good reason for doing this, we need to know what you really want to do.  For instance you say before the process runs, but is it really before the code in "X" runs, which is quite different.   When a process is starting up, it is findable by PsLookupProcessByProcessId, or by the callback from PsSetCreateProcessNotifyRoutine but it may not be in a state where anything can be done to it yet.  Later on as code modules get loaded the process is running, but it is modifiable.

    Overall explain what you want to do, hopefully we can suggest a solution that does not require modifying the process.

    Don Burn Windows Driver Consulting Website:

    Friday, July 29, 2016 11:36 AM