I was wondering if its possible to do some sort of validation from usermode requests,
lets say i have a dll injected into explorer.exe, this dll sends ioctl’s to the device.
Is there some kind of method to block requests that doesnt come from explorer.exe ?
Thanks in advance
No. You can make the driver “exclusive”, which means only one application can open it at a time. Since Explorer starts early and usually stays loaded until the system goes down, that should be pretty secure.
There is a cost/benefit analysis to be done, and I’m quite serious about this. You can spend a fortune adding extra padlocks and deadlocks in your scheme, but whatever “locks” you put in can be picked by a sufficiently motivated hacker. They are smarter than you are, and they have more time. It all comes down to knowing the value of what you’re protecting, and it is extremely easy to overvalue your driver. If you’re just protecting some IP, then I think it’s ridiculous to do anything more than the exclusive mode. That will keep honest people honest.