none
can i write a filter driver which can block certain .exe RRS feed

  • Question

  • can a filter driver be writen which gets involked when any exe is started and block or allow it to execute in the system.

    sunil45

    Tuesday, December 17, 2013 1:34 PM

Answers

  • If you are targeting current versions of Windows (i.e. Vista or later) this is easy with PsSetCreateProcessNortifyEx which allows you to see all the creations, and fail them if you want. 

    Be aware that determining what should be blocked is not an easy task.  Some folks think we will block x.exe, but that doea not stop someone from copying the file to y.exe and running it.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, December 17, 2013 1:50 PM

All replies

  • If you are targeting current versions of Windows (i.e. Vista or later) this is easy with PsSetCreateProcessNortifyEx which allows you to see all the creations, and fail them if you want. 

    Be aware that determining what should be blocked is not an easy task.  Some folks think we will block x.exe, but that doea not stop someone from copying the file to y.exe and running it.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, December 17, 2013 1:50 PM
  • can i just implement this in the driver entry function and write a call back routine CreateProcessNotifyEx to terminate or allow.

    i would also like to use the zwreadfile call back function to read a file and check if the exe is present in the file then block else allow it.

    how would i merge this with CreateProcessNotifyEx


    sunil45

    Wednesday, December 18, 2013 9:27 AM
  • i would also like to use the zwreadfile call back function to read a file and check if the exe is present in the file then block else allow it.

    how would i merge this with CreateProcessNotifyEx


    sunil45

    Wednesday, December 18, 2013 12:56 PM
  • Basically read the file in as part of DriverEntry and store it in an appropriate data structure for searching.  I say appropriate structure since as I pointed out in the earlier repsonse just checking the name is not safe.  If you look at the PE format http://msdn.microsoft.com/library/windows/hardware/gg463125 you will see there are fields for date/time and checksum that a minimum I would check to see that foo.exe really is the foo.exe you believe it is.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, December 18, 2013 1:20 PM
  • but how will i able to access the PE formate of the file that involks the call back routine.

    PS_CREATE_NOTIFY_INFO->_FILE_OBJECT i can get only the FleName


    sunil45

    Friday, December 20, 2013 5:57 AM
  • @ Pavel A how will a driver unload itself if i have registered the PsSetCreateProcessNotifyRoutineEx routine in driver entry and have its call back function.

    sunil45

    Friday, December 20, 2013 11:06 AM
  • ObOpenObjectByPointer will allow you to open the file.  If your driver defines an Unload routine then call PsSetCreateProcessNotifyEx with the Remove flag TRUE.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, December 20, 2013 12:11 PM
  • so you telling me to create a evtdriverdeviceadd function and in that create a fake device object.

    sunil45

    Monday, December 23, 2013 8:57 AM
  • Take a look at http://www.osronline.com/article.cfm?article=390 for a sample of what to do.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Monday, December 23, 2013 11:21 AM