How to identify the process a section is being mapped into with IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONI

User

SectionObjectPointer is the closest thing to the process the section belongs to.

Memory manager sets this member whenever an executable image section is created for the stream.

How do I find out which process that section belongs to under the condition that SyncTypeCreateSection is set and ImageSectionObject is not NULL?

FltGetRequestorProcess is obviously not the one.

User

Also, according to https://www.osronline.com/article.cfm

SECTION_OBJECT_POINTERS - This is the data structure that connects the specific FILE_OBJECT to the virtual memory control structures that keep track of the file contents when they are in memory - and allow Windows to fetch those contents when they are not.

So, there must be a way to get to the virtual memory the describes the section given by the file object

User

This procedure is also recommended by Microsoft according to: http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal Data and Filtering Support for Windows Server 2008.doc

The link is currently dead but can be found on webarchive

7 Load image of executable code
...
In particular, a file system mini-filter can be utilized to block the loading of both modules in both user mode (e.g., DLLs) and kernel mode (e.g., device drivers). Intercepting IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and returning STATUS_ACCESS_DENIED when sections are loaded for PAGE_EXECUTE permission is an appropriate approach.

There is absolutely no information on the internet on how to not block all PAGE_EXECUTE load operations...

Scott_Noone_(OSR)

Why is the requestor obviously not the one?