Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

minifilter, prevent file execution while It is sended to webserver and get response

honghong Member Posts: 1

I am making program which detect new files from external source such as web download, usb.

after detecting file, I send it to webserver that has anti virus program and get the result whether the file is malicious or not.

and If it is malicious I move that file to other folder.

I made detecting file using IRP_MJ_SET endoffileinformation. but I don't make preventig file execution perfectly.

Program that I made can prevent file execution. but some files are not prevented from execution.

and some install file doesn't work well.

I just implemented preventing file execution by watching fileinfoclass. but It is not perfect.

Is there a way to distinguish copy from execution in IRP_MJ_CREATE?

or how to make that program?


  • rstruempfrstruempf Member Posts: 103

    To my knowledge, you cannot determine that a file is going to be executed from IRP_MJ_CREATE.

    The method we are using is to hook IRP_MJ_ACQUIRE_SECTION_FOR_SYNCHRONIZATION, and check Data->Iopb->Parameters.AcquireSectionForSynchronization.PageProtection for PAGE_EXECUTE.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,083

    Execute AccessMode can save you some time as well

  • rstruempfrstruempf Member Posts: 103

    Thanks, Rod! I was not using that method, and I see from my logs that I could prevent most (all?) of these from even opening by checking Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess for FILE_EXECUTE

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,083

    In case it's not obvious - EXECUTE access is a necessary, but not sufficient condition. Some applications can (and do) ask for all sorts of things that they don't need. On the other had, this might not matter for you, but pre-create is a lot nice place to be when you want to do something.

  • rstruempfrstruempf Member Posts: 103

    I quickly found that to be the case, Rod. I already knew that many apps request write access when they don't need it. Seems they also request execute access when they don't intend to execute.

    Thanks for the advice.

    @rod_widdowson said:
    EXECUTE access is a necessary, but not sufficient condition.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE