Intercepting process execution in a NT driver

I h开发者_运维知识库ave developed a driver for Windows XP which is able to monitor the execution of processes.

A callback function receives the notifications using standard WDK API (PsSetCreateProcessNotifyRoutine).

The driver then decides if the process should be authorized or not; if not, it must block its execution/kill it.

What is the cleanest way to intercept execution that way? I do not mind if it is not documented, but I would rather not resort to hooking, if possible.

Ok, according to this document:

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

I need to install a minifilter for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for PageProtection == PAGE_EXECUTE.

PsSetCreateProcessNotifyRoutineEx (Vista+) will allow you to cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.