> I do really mean Windows Messages. If I load up for examples,
Notepad and I attempt to load a file which I have banned, notepad
displaying that it cannot open the file can be concidered an ok
error message. If for example I banned loadme.exe from running and I
double click it, that access denied is a Windows Message and the one I want to avoid seeing.
Notepad message is application-specific. The fact that Notepad comes
with Windows is irrelevant. it is just something that Notepad displays
when it encounters ERROR_ACCESS_DENIED after CreateFile returns
INVALID_HANDLE_VALUE.
L.
> > I do really mean Windows Messages. If I load up for examples,
> Notepad and I attempt to load a file which I have banned, notepad
> displaying that it cannot open the file can be concidered an ok
> error message. If for example I banned loadme.exe from running and I
> double click it, that access denied is a Windows Message and the one I want to
avoid seeing.
Notepad message is application-specific. The fact that Notepad comes
with Windows is irrelevant. it is just something that Notepad displays
when it encounters ERROR_ACCESS_DENIED after CreateFile returns
INVALID_HANDLE_VALUE.
L.
No no no, Notepad Error messages are fine. It is the Windows Ones I want to block.
Thanks anyway.
I have an example.
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
I am reading into it now, but they use a specific error message when blocking an application.
xxxxx@hotmail.com wrote:
I have an example.
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
I am reading into it now, but they use a specific error message when blocking an application.
This topic has been discussed many times on this forum. Two possible
options, there are many, which have been discussed are 1) terminating
the process within a filter or 2) redirecting the open of the executable
to one of known functionality which will display the error message you
want. This latter choice is what you are referring to above.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Thanks Pete.
The problem I have with the latter solution is when I open a file, POBJECT_FILE, and set PFLT_FILTER->ObjectFile to the new POBJECT_FILE after the subroutine ends the change is ignored.
xxxxx@hotmail.com wrote:
I have an example.
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
I am reading into it now, but they use a specific error message when blocking
an application.
This topic has been discussed many times on this forum. Two possible
options, there are many, which have been discussed are 1) terminating
the process within a filter or 2) redirecting the open of the executable
to one of known functionality which will display the error message you
want. This latter choice is what you are referring to above.
Pete
p.s. I can use google to search the forum website but I don’t actually know what keywords I am looking for.
xxxxx@hotmail.com wrote:
I have an example.
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
I am reading into it now, but they use a specific error message when blocking
an application.
This topic has been discussed many times on this forum. Two possible
options, there are many, which have been discussed are 1) terminating
the process within a filter or 2) redirecting the open of the executable
to one of known functionality which will display the error message you
want. This latter choice is what you are referring to above.
Pete
xxxxx@hotmail.com wrote:
Thanks Pete.
The problem I have with the latter solution is when I open a file, POBJECT_FILE, and set PFLT_FILTER->ObjectFile to the new POBJECT_FILE after the subroutine ends the change is ignored.
You are not replacing the file object but instead you are redirecting
the requests to a different file. Look at the simrep sample in the
latest WDK for a taste of this type of processing.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
I found it thankyou.
The last thing I need to know, is it possible to make a minifilter memory resistant because as much security as my program is offering me, if someone just wrote one command line code the driver would be unloaded and my application useless.
xxxxx@hotmail.com wrote:
I found it thankyou.
The last thing I need to know, is it possible to make a minifilter memory resistant because as much security as my program is offering me, if someone just wrote one command line code the driver would be unloaded and my application useless.
There are methods which you can do to protect the driver binary and
registry information but in the end if the user has administrator
rights, it is very difficult to prevent them from disabling your driver.
Again, there are ways to protect this but you can not protect it 100%.
For instance, they can simply boot into the OS install CD and delete
your driver while your protection mechanism is not running.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
If the user has to reboot, I don’t mind, what I am trying to achieving is just local admin access. Unless I am wrong, if a keyboard filter is loaded, to unload, you first have to edit the registry and reboot, even as a administator.
Can you name some of the protection mechanism so I can indulge in some reading?
Google offered me the answer, it is quite simple solution but it will be fine.
Thankyou for all your help.