I am working on yet-another app control PoC and am pretty happy with the results so far.
I am however not sure about the best way to go when it comes to detecting if the PE image is being mapped for execution from a location where non-admin user have write access. It seems I can check the security descriptor in IRP_MJ_CREATE but there i can’t really (or easily) tell whether the file is a PE file and whether it will be loaded for exec.
In my mini-filter driver, I also have pre/post for IRP_MJ_CREATE and IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, plus process and image callbacks. Is checking the SD against the user token when its image gets mapped (for section sync) correct?
my needs:
. Apply policy X if exe is run from user-writable location. policy could be evaluated during process creation or image load callbacks
. Apply policy Y if DLL is loaded from user-writable location. policy could be evaluated during callbacks, or perhaps even during IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
thank you in advance for any tip/suggestion.
Marco