CODEWITHSUNDEEP
c++cwindowsdriverminifilter
Syahmi Azhar
Syahmi Azhar

Reputation: 49

Minifilter: Block applications with notification

I'm writing a minifilter to block application execution. The minifilter will request a file scan on IRP_MJ_CREATE to the usermode apps. The usermode application will scan whether to allow the PE file (.exe/.dll/etc) execution or no.

Currently, when the usermode apps says no, the minifilter will issue an access denied status, and cancelling the file open. (Yes, using FltCancelFileOpen)

The problem when issuing access denied return value is, from the user perspective, they will get a message box from the system like this: Windows cannot access the specified path or file. You may not have the appropriate permissions to access the item.

Another example, when blocking the specific dll from being loaded, another messagebox will appear:

The application was unable to start correctly (0xc00000022)

What I want to accomplish is to still deny the open but suppress the message box and have a notification of my own, which is a user friendly error message indicating the apps were blocked. Example are like windows 8 smartscreen feature, which will notify the user when running blocked exe without any messagebox saying access denied or similar. Windows 8 smart screen

How can I do that?

Upvotes: 1

Views: 1242

Answers (1)

MSalters
MSalters

Reputation: 179819

Let's take the DLL example. You get that error because there's code in Windows equivalent to 

if (!LoadLibrary(szDllName))
{
     MessageBox("Application Error", ...);
}
else
{
   DllMain = GetProcAddress("DllMain");
   DllMain(DLL_PROCESS_ATTACH);

So, if you don't want the first branch of the code to be taken, you should allow the DLL to load. There's no third option.

The Windows 8 example is misleading. If you're Microsoft, of course you can add that third option.

[edit] On second thought, did you cancel the operation using FltCancelFileOpen ? If not, then how did you do it?

Upvotes: 1

Related Questions