SectionObjectPointer is the closest thing to the process the section belongs to.
Memory manager sets this member whenever an executable image section is created for the stream.
How do I find out which process that section belongs to under the condition that SyncTypeCreateSection is set and ImageSectionObject is not NULL?
SECTION_OBJECT_POINTERS - This is the data structure that connects the specific FILE_OBJECT to the virtual memory control structures that keep track of the file contents when they are in memory - and allow Windows to fetch those contents when they are not.
So, there must be a way to get to the virtual memory the describes the section given by the file object
The link is currently dead but can be found on webarchive
7 Load image of executable code
…
In particular, a file system mini-filter can be utilized to block the loading of both modules in both user mode (e.g., DLLs) and kernel mode (e.g., device drivers). Intercepting IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and returning STATUS_ACCESS_DENIED when sections are loaded for PAGE_EXECUTE permission is an appropriate approach.
There is absolutely no information on the internet on how to not block all PAGE_EXECUTE load operations…