Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I am trying to code a driver that blocks signed Vulnerable drivers. I have done some reading and found out that you can block the driver load somehow with SeRegisterImageVerificationCallback.
My biggest problem is that it's undocumented and there are only a few sites that have written about it but not enough. I've already managed to log the drivers that are loaded.
But now I'm wondering how I can block the load with it. I simply have no more ideas.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Internals & Software Drivers||19-23 June 2023||Live, Online|
|Writing WDF Drivers||10-14 July 2023||Live, Online|
|Kernel Debugging||16-20 October 2023||Live, Online|
|Developing Minifilters||13-17 November 2023||Live, Online|
Hmmm... this is your first post here?
This callback, and the others related to it, are part of the ELAM system. IIRC, there's documentation for that, it's just not available publicly.
Now, having said that... doesn't the callback get a PBDCB_IMAGE_INFORMATION? And isn't one of the fields in that structure the BDCB_CLASSIFICATION? Are you saying setting the BDCB_CLASSIFICATION properly on return doesn't work, or that you don't know how to set it?