The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I am working on yet-another app control PoC and am pretty happy with the results so far.
I am however not sure about the best way to go when it comes to detecting if the PE image is being mapped for execution from a location where non-admin user have write access. It seems I can check the security descriptor in IRP_MJ_CREATE but there i can't really (or easily) tell whether the file is a PE file and whether it will be loaded for exec.
In my mini-filter driver, I also have pre/post for IRP_MJ_CREATE and IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, plus process and image callbacks. Is checking the SD against the user token when its image gets mapped (for section sync) correct?
. Apply policy X if exe is run from user-writable location. policy could be evaluated during process creation or image load callbacks
. Apply policy Y if DLL is loaded from user-writable location. policy could be evaluated during callbacks, or perhaps even during IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
thank you in advance for any tip/suggestion.
|Upcoming OSR Seminars
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
|13-17 May 2024
|1-5 Apr 2024
|Internals & Software Drivers
|11-15 Mar 2024
|Writing WDF Drivers
|20-24 May 2024