Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


minifilter, prevent file execution while It is sended to webserver and get response

honghong Member Posts: 1

I am making program which detect new files from external source such as web download, usb.

after detecting file, I send it to webserver that has anti virus program and get the result whether the file is malicious or not.

and If it is malicious I move that file to other folder.

I made detecting file using IRP_MJ_SET endoffileinformation. but I don't make preventig file execution perfectly.

Program that I made can prevent file execution. but some files are not prevented from execution.

and some install file doesn't work well.

I just implemented preventing file execution by watching fileinfoclass. but It is not perfect.

Is there a way to distinguish copy from execution in IRP_MJ_CREATE?

or how to make that program?

Comments

  • rstruempfrstruempf Member Posts: 103

    To my knowledge, you cannot determine that a file is going to be executed from IRP_MJ_CREATE.

    The method we are using is to hook IRP_MJ_ACQUIRE_SECTION_FOR_SYNCHRONIZATION, and check Data->Iopb->Parameters.AcquireSectionForSynchronization.PageProtection for PAGE_EXECUTE.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,152

    Execute AccessMode can save you some time as well

  • rstruempfrstruempf Member Posts: 103

    Thanks, Rod! I was not using that method, and I see from my logs that I could prevent most (all?) of these from even opening by checking Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess for FILE_EXECUTE

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,152

    In case it's not obvious - EXECUTE access is a necessary, but not sufficient condition. Some applications can (and do) ask for all sorts of things that they don't need. On the other had, this might not matter for you, but pre-create is a lot nice place to be when you want to do something.

  • rstruempfrstruempf Member Posts: 103

    I quickly found that to be the case, Rod. I already knew that many apps request write access when they don't need it. Seems they also request execute access when they don't intend to execute.

    Thanks for the advice.

    @rod_widdowson said:
    EXECUTE access is a necessary, but not sufficient condition.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE