If the malware is in the kernel, then it can attach to your process, have
access to your memory space, and modify it. At that point your process
image is hosed. Depending on when you filter gets loaded versus the malware
there are ways around the file protection, so I can change your protected
application to be malware.
Malware is going to win 99.9% of the time, you may be able to defeat a
specific threat vector, but then all they need is to improve slightly to
bypass that.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Saturday, October 18, 2014 9:19 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Blocking particular process from getting terminated
First, I agree with you, the malware is going to win 99% of the time as
offense is way easier than defense. But for the sake of educational argument
(as I’m not very farmiliar with this), let’s assume that the infection has
occured after my driver is loaded. The driver protects against file
modification via a minifilter FltRegFilter(), and is also protecting against
process termination via ObRegisterCallbacks(). There’s also another routine
blocking remote threads. The attacker cannot modify any binaries, nor use
Read/WriteProcMem(), no TermProc(), no CreateRemoteThread(), no SSDT hooks,
etc. Apart from offline attacks - how do you destroy my process?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer