Link Search Menu Expand Document

Using onExit callback

Besides onEntry callback probes could have onExit callback which is called if it is defined and onEntry doesn’t call skipExitHook or skipFunction context methods. Let’s add to our probe generating an event for all successful process creation operations.

setfenv(1, require "sysapi-ns")
local FilePath = require "file.Path"
local ProcessEntity = hp.ProcessEntity
local EventChannel = hp.EventChannel

Probe {
  name = "My Process Created",
  hooks = {
      name = "MyNtCreateUserProcess",
      ---@param context EntryExecutionContext
      onEntry = function(context)
        local imagePath = FilePath.fromUS(context.p.ProcessParameters.ImagePathName)
        if imagePath.basename:lower() == "notepad" then
          context.r.eax = STATUS_ACCESS_DENIED
            "Attempt to start forbidden process",
              processPath = imagePath.full,
              parentProcess = ProcessEntity.fromCurrent()
      ---@param context ExitExecutionContext
      onExit = function(context)
        -- Create one more event if a process was created successfully
        if context.retval == STATUS_SUCCESS then
            "My Process Created",
              newProcess = ProcessEntity.fromHandle(context.p.ProcessHandle[0]),
              parentProcess = ProcessEntity.fromCurrent()
          ):send(EventChannel.file, EventChannel.splunk)

We have defined an onExit handler that generates an event only when the hooked function was actually successful. This way we can collect events only when a process was actually created.

Finally, run the test:

.\bin\hdk --run-test "My Process Created"

You will see something like:

Received events:
Attempt to start forbidden process: 1
My Process Created: 1

Here we generated an event for blocked process creation and another event for successful process creation.

Follow the next part where we will show how to inject the probe into a process for testing.

Copyright © 2020 Hyperionix, Inc.