Need some suggestion around the security who will be open to allow my driver using CreateFile I know few of the solution below.
Using ACL SDDL_DEVOBJ_SYS_ALL I can only restrict process running in SYSTEM account.
If I want only my process should be able to open driver handle one way I see writing Access Protection driver by using Minifilter Driver and feed the rule based on path, Can i also verify
that process sending CreateFile request is signed by some specific certificate in driver?
I know solution 2 required efforts, Other than the above two ways are there any other ways to restrict processes to open our driver handle?
This has been discussed here and elsewhere many times. And it always boils down to ‘that’s not how security works in Windows’ and ‘how are you going to be sure that your special application is really the one making the call’.
about the best method is to try to verify an authenticode signature while processing the create request. but it is perilous since the default ways to do this trust anything the machine trusts and not just your super special code signing certificate. and what happens when that one expires and you have a new application version signed with a new certificate? this is a solvable problem, but detailed knowledge of PKI is necessary.
other methods include incorporating a ‘secret handshake’ between the UM and KM components - this can easily be spoofed. checking the file name / path of the calling exe - much easier to spoof. and trying to hide / obfuscate the device name - also very easy to spoof.
I’m sure that there are more, but the point is that security on Windows is based on security principals and access control lists and anything you try to do around that can be circumvented. assuming that you control the machine, the correct solution is a service account with an appropriate ACL. if you don’t control the machine, any admin will be able to circumvent and protection that you create. its just a matter of how hard it will be to do so.