Blocking Operations Probe
Let’s do something more interesting than printing the message. We want to write a probe which will forbid notepad.exe
process creation. Let’s see what it takes and what features are available in package execution environment. Replace My Process Created.lua
file content with the following code.
-- Use sysapi library
setfenv(1, require "sysapi-ns")
-- FilePath class
local FilePath = require "file.Path"
Probe {
name = "My Process Created",
hooks = {
{
name = "MyNtCreateUserProcess",
---@param context EntryExecutionContext
onEntry = function(context)
local imagePath = FilePath.fromUS(context.p.ProcessParameters.ImagePathName)
if imagePath.basename:lower() == "notepad" then
context.r.eax = STATUS_ACCESS_DENIED
context:skipFunction()
end
end
}
}
}
Let’s also change the test to this code that will try to create two different processes. Creating the first should succeed. Creating the second process should be blocked due to our probe.
setfenv(1, require "sysapi-ns")
local Process = require "process.Process"
local package = Package "My Process Created"
local function createAndTerminateProcess(path)
local p = Process.run(path)
if p then
p:terminate()
return true
end
return false
end
Case("Main") {
case = function()
package:load()
-- Here we are able to run calc.exe process.
assert(createAndTerminateProcess("calc.exe") == true)
-- Running notepad.exe should be failed
assert(createAndTerminateProcess("notepad.exe") == false)
assert(ffi.C.GetLastError(), ERROR_ACCESS_DENIED)
package:unload()
end
}
And run hdk
tool
.\bin\hdk --run-test "My Process Created"
dbg: Run case [Main]
dbg: Package [My Process Created] has been loaded successfully, id = 127
dbg: Package [My Process Created] has been unloaded successfully
Received events:
----------------------------------
Let’s see what happened:
- Test loaded package “My Process Created”. It means that the probe and all of its dependent hooks were loaded.
- The test tried to start two processes:
calc.exe
andnotepad.exe
- The first attempt was successful because
calc.exe
is allowed to run. - The second attempt failed because it tried starting notepad.exe and our probe blocked it as it’s a forbidden process.
To block an operation the probe calls skipFunction when it detects a forbidden process name. This context method tells the hook to not call the actual hooked function. In this case this means the process will not be started if skipFunction is used.
context:skipFunction()
We also had to tell the probe what value to return to the caller of NtCreateUserProcess
when we skipped it. In this case we return STATUS_ACCESS_DENIED
NT Status. Alternatively, you can return STATUS_SUCCESS
to pretend the operation was successful or any other error value you want.
context.r.eax = STATUS_ACCESS_DENIED
In the next step we will show how probe packages could generate events that can be analyzed in a central location.