The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I am making program which detect new files from external source such as web download, usb.
after detecting file, I send it to webserver that has anti virus program and get the result whether the file is malicious or not.
and If it is malicious I move that file to other folder.
I made detecting file using IRP_MJ_SET endoffileinformation. but I don't make preventig file execution perfectly.
Program that I made can prevent file execution. but some files are not prevented from execution.
and some install file doesn't work well.
I just implemented preventing file execution by watching fileinfoclass. but It is not perfect.
Is there a way to distinguish copy from execution in IRP_MJ_CREATE?
or how to make that program?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|