I am developing a security application which should monitor activity by any process.
I successfully managed to intercept file access by installing a MiniFilter driver, thanks to the MiniFilter sample provided by Microsoft on GitHub.
However, I did not find any documentation about how to intercept process creation/termination using a Minifilter.
I would like to intercept new process creation by any parent process (which could use functions like CreateProcess, ShellExecute etc.).
I would also like to intercept process termination signals (sent by APIs like TerminateProcess) to avoid my security program process to be killed by potential malware.
At the moment I setup a callback function in my minifilter driver which successfully intercepts file I/O operations, as instructed by the Microsoft example:
FLT_POSTOP_CALLBACK_STATUS ScannerPostCreate (
_Inout_ PFLT_CALLBACK_DATA CallbackData,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_opt_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
)
My question is, can I use the same callback function to intercept process access? Or, do I need to setup a different callback function, or use an entirely different method?
Since the minifilter is a kernel module, you can use any routine exported by kernel/HAL or other kernel modules. For example, PsSetCreateProcessNotifyRoutine.