Reputation: 11
How to block an dll injection via Minifilter
Im trying to block .dll injection (or general injection) into a specific process via a Minifilter
This is my PreOperationCallback:
if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) {
/* Open file for writing/appending? */
if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & PAGE_EXECUTE) == PAGE_EXECUTE) {
if (security) {
DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n");
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE;
}
}
if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_EXECUTE) == FILE_EXECUTE) {
if (security) {
DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n");
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE;
}
}
}
}
According to other Forums IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION will be called on DLL Injection!
I have also tried "IRP_MJ_CREATE" but then I am also blocking any execution of .exe files. Filtering the file extension could be easily bypassed...
I hope somebody knows more about it ;)
Upvotes: 1
Views: 1188
Answers (1)
Reputation: 1271
Minifilter is not suitable for this.
AcquireForSectionSync is called when a process calls CreateFileMapping/ZwCreateSection.
Suppose ProcessA wants to inject a DLL into ProcessB. It can create a remote thread that will make ProcessB call LoadLibrary.
At that point your filter will see that ProcessB calls AcquireForSection sync which every process does when it starts up as the loader will load all the basic dlls like: ntdll, kernel32, etc...
What you want is Ob callbacks, e.g.:
The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
These callback will allow you to prevent a process from opening another process with various rights.
Imagine you have a scenario where ProcessA wants to inject something into ProcessB via some sort of CreateRemoteThread/ReadWriteProcessMemory manipulation.
ProcessA:
OpenProcess(ProcessB, PROCESS_VM_...);
YouDriverObCallbackRoutine() {
Check if ProcessA should have access it asks for ProcessB.
If not you can simply strip away the access and return.
}
This will result in ProcessA having a handle without those rights to ProcessB.
Now when ProcessA tries to call
- CreateRemoteThread
- ReadProcessMemory
- WriteProcessMemory
on ProcessB, the system will deny the access as the handle does not have those rights anymore (you stripped them in your Ob callback).
Upvotes: 1
Related Questions
- Detect & Block Read/WriteProcessMemory calls from a Driver
- How do I prevent DLL injection
- Intercept Process Access using a Windows MiniFilter Driver
- Prevent McAfee Dlls injection
- Prevent Dll injection from an Dll C++
- Preventing a DLL file from loading into my process via MS Detours
- how to block dll injection using a Blackllist/by identifying a dll uniquely?
- How to protect against DLL Hijacking?
- Minifilter: Block applications with notification
- Block file creation