Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available

Download PDF here:

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Can I block the DLL use of an application using mini filter.

Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

I need to block the dll file use of the application using minifilter.
Is it possible ?
Please help


  • rstruempfrstruempf Member Posts: 103

    The easiest way I know to block use of a dll is to handle IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, and check for PageProtection of PAGE_EXECUTE (or one of the other page execute values).

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    @rstruempf thank you
    I tried using IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but I could't block the dll by this call back

  • rstruempfrstruempf Member Posts: 103

    Because the event didn't occur? I've never seen an exe or dll executed that wasn't preceded by this IRP. There are those here who understand this far better than I do, who will hopefully correct me if I am wrong, but I believe this is required for code execution. It is the act that results in the image section being attached to the file object which is a mapping required for process execution.

    Again, this is my limited understanding, but this is a pseudo-IRP that cannot be treated like a normal IRP based request, but it can be blocked by setting the IoStatus.Status to access denied in the pre-op and returning preop finished processing.


  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    Thank you @rstruempf

    Actually i need to block some dll's used by explorer.exe for burning the CD ROM but i fail to find the request from IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION

  • rstruempfrstruempf Member Posts: 103

    Then I suppose the DLLs in question are already loaded and running by the time you are looking to block them, in which case there are no IRPs associated with the execution. There are undoubtedly IRPs to access the CD, but I can't advise you there

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    Thank you @rstruempf

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE