Hello,
A while back i asked how to implement software that allows/denies the loading of binaries into windows processes. (http://www.osronline.com/showthread.cfm?link=259208).
The consensus was to use a mini filter and block the file create if the execute permission is requested. I implemented this and it works fine as long as the filter is in the control path.
However the following scenario frustrates me:
Native API allows me to split the process create into several steps:
1.Nt/ZwCreateFile()
2.Nt/ZwCreateSection()
3.Nt/ZwCreateProcess()
4.Nt/ZwCreateThread()
…
So I get a file handle and a section handle that can be duplicated to other processes.
Please consider this:
- evade1.exe is started for user A. It creates a file handle for a binary and opens its process for everybody full access.
- evade2.exe is started for user B. It has no access to the binary as enforced by mini filter or NTFS ACL. it duplicates the handle of the file out of the evade1 process and creates an executable section with it. In addition it opens its process to everybody full access.
- evade3.exe is started for user C. It has no access to the binary enforced as above. it duplicates the handle of the section out of the evade2 process and successfully creates a process with it.
This works just fine with Xp and out of the box standard non-admin users.
The mini filter may catch step 2 with IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but that is problematic. What security context should it use (the one from user A from the open ? That seems wrong to me. But what other options does it have?)
The mini filter has no chance to catch step 3 as far as I can see.
On the other hand I have a LoadImageNotify() callback that catches this without any problem. It can kill the newly created process before it executes any code of the binary.
However it is unusable because it is also called when explorer just looks at the file properties in vista and win7. Killing explorer for looking at file properties is not really acceptable.
Is there a way to create a binary load control driver that covers such things ?
Any and all hints would be truly appreciated.
Many thanks,
db