Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


IRP validation from usermode

alex_vogtalex_vogt Member - All Emails Posts: 3

I was wondering if its possible to do some sort of validation from usermode requests,
lets say i have a dll injected into explorer.exe, this dll sends ioctl's to the device.
Is there some kind of method to block requests that doesnt come from explorer.exe ?

Thanks in advance

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,493

    No. You can make the driver "exclusive", which means only one application can open it at a time. Since Explorer starts early and usually stays loaded until the system goes down, that should be pretty secure.

    There is a cost/benefit analysis to be done, and I'm quite serious about this. You can spend a fortune adding extra padlocks and deadlocks in your scheme, but whatever "locks" you put in can be picked by a sufficiently motivated hacker. They are smarter than you are, and they have more time. It all comes down to knowing the value of what you're protecting, and it is extremely easy to overvalue your driver. If you're just protecting some IP, then I think it's ridiculous to do anything more than the exclusive mode. That will keep honest people honest.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA