On Jun 25, 2017, at 6:36 PM, Alex don wrote:
>
> Thanks for replies. I think I did not clarify an important point about this topic, I don’t want to prevent anyone from sending IOCTLs to my driver, since I think it’s impossible, any process with enough privileges or running as SYSTEM can make modifications in the system or impersonate my service, the most important point is to prevent anyone from using my driver, for example if it does some “dangerous” function that can be abused by an attacker, say if I am writing a firewall solution, my service may send an IOCTL to block all outgoing connections, so if anyone takes my driver, it could abuse this functionality. How do I prevent this? All these methods can be easily bypassed:
I think all of the responders understood your situation quite well. It’s important for you to understand that anything you do in user mode can be hacked. What you need to do Is realistically assess the danger of each breach, and balance that danger against the cost of your protection.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.