In the creation of a “Quarantine” feature that prevents execution from certain directories on the filesystem, I am considering using a filesystem feature to reset the FileObject->SectionObjectPointer->ImageSectionObject pointer to NULL on an IRP_MJ_CREATE that requests executable access (I may need to deallocate, clean up etc what is there too etc)
Can anyone comment if this is a mechanism worth exploring for this type of feature.
Previously I had played with hooking ntCreateSecion - however in 64 bit or vista this is no longer allowed.
-Rich Riendeau
> I am considering using a filesystem feature to reset the
FileObject->SectionObjectPointer-> ImageSectionObject pointer to NULL
on an IRP_MJ_CREATE that requests executable access
IRP_MJ_CREATE has nothing to do with the section creation - it is received as a result of a call to ZwCreateFile(), rather than to NtCreateSection(). At the time you receive IRP_MJ_CREATE you have no idea about executable access. In order to control section creation in FS filter you have to register FastIO callbacks. This is MSFT side of a story. However, in my experience, these callbacks are of rather limited practical value when it comes to controlling section creation - they just don’t seem to get invoked upon NtCreateSection() calls…
Previously I had played with hooking ntCreateSecion - however in 64 bit or vista
this is no longer allowed.
AFAIK, there is no problem with that under 32-bit Vista whatsoever - this “innovation” applies only to 64-bit Windows
Anton Bassov