Hello,
You could block the process creation by setting the
CreationStatus
member in the
PS_CREATE_NOTIFY_INFO structure[
^] to access denied in your callback.
I want to tell you that everything you are describing goes against
Best Practices[
^]. I would suggest that you look at other solutions.
There are better ways to prevent malware or unwanted processes from executing. You should consider blocking the process earlier. One of the first things that occurs during process creation is that the operating system maps the executable into memory. You should intercept it here.
You would want to filter
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION[
^] and look for
PAGE_EXECUTE
page protection. Block it at the file layer before it gets mapped into memory.
You should abandon your idea to kill the process after it's already running. Consider blocking it at the file layer.