Linux Security Module (LSM) in windows

Hello,

In Linux, I built a skeleton of LSM. In this demo, each time an application is launched its path is printed from the LSM which is compiled in the kernel.

Can you please advise if there is a similar concept in windows kernel ?

Thank you,
Zvika

Your question is too vague. A kernel driver can register for a callback every time a process is launched.

Hi Tim,

Thank you very much for your reply.
I found this sample code:

#include <ntddk.h>
#include <wdf.h>

PVOID callbackRegistrationHandle = NULL;

OB_PREOP_CALLBACK_STATUS CreateCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
    UNREFERENCED_PARAMETER(RegistrationContext);
    UNREFERENCED_PARAMETER(OperationInformation);

    PEPROCESS Process = (PEPROCESS)OperationInformation->Object;

    HANDLE pid = PsGetProcessId(Process);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
        "CreateCallback called with operation %d on process at address %p with PID %d\n",
        OperationInformation->Operation,
        Process,    
        pid         
    );

    return OB_PREOP_SUCCESS;
}

Is it the right approach ?
The goal is to prevent a process to run if it's contained in a predefined list.
Is it possible ?

Best regards,
Zvika

As long as you assume that your blocked processes will always nicely have the right name, sure it is possible. But that could be a very dubious assumption if, for example, you are trying to block malware etc.

I second Mark's comments. The malware guys are smarter than you or me. They're going to call their process "WINWORD.EXE", and then what will you do?

This why the antivirus products use signatures instead of names.

1 Like

note that if it is malware, they can use the actual winword.exe or calc.exe etc. and inject the 'bad' code after the process has started. The point is that if you want to make something that adds security, it is not a simple job. And you will need to know a lot more about the execution environment than simply choosing the right call back sample code

Hi All,

My goal is to build a kernel module that will be "triggered" upon any application launch.

If the application path is approved by my kernel module, this application (e.g c:windows\calc.exe) can run. If not, it will not run.

Can you please tell if the sample code I uploaded here is relevant ?

Thank you,
Zvika

build a kernel module that will be "triggered" upon any application launch

This is easy, with a CreateProcess notify routine: google for PsSetCreateProcessNotifyRoutineEx. From there you can get the filename of the exe file.
As others hinted- blocking programs only by filename or path is naive, not serious, and so on, you name it.

Just consider that Windows comes with something called AppLocker. it will do this job for you :wink:

2 Likes

Pavel - Thank you very much !
Best regards,
Zvika