1

Im trying to block .dll injection (or general injection) into a specific process via a Minifilter

This is my PreOperationCallback:

    if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) {
        /* Open file for writing/appending? */
        if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & PAGE_EXECUTE) == PAGE_EXECUTE) {
            if (security) {
                DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n");
                Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                return FLT_PREOP_COMPLETE;
            }
        }
        if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_EXECUTE) == FILE_EXECUTE) {
            if (security) {
                DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n");
                Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                return FLT_PREOP_COMPLETE;
            }
        }
    }
}

According to other Forums IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION will be called on DLL Injection! I have also tried "IRP_MJ_CREATE" but then I am also blocking any execution of .exe files. Filtering the file extension could be easily bypassed...

I hope somebody knows more about it ;)

ventrixstack
  • 11
  • 3

1 Answers1

1

Minifilter is not suitable for this.

AcquireForSectionSync is called when a process calls CreateFileMapping/ZwCreateSection.

Suppose ProcessA wants to inject a DLL into ProcessB. It can create a remote thread that will make ProcessB call LoadLibrary.

At that point your filter will see that ProcessB calls AcquireForSection sync which every process does when it starts up as the loader will load all the basic dlls like: ntdll, kernel32, etc...

What you want is Ob callbacks, e.g.:

ObRegisterCallbacks function

The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.

These callback will allow you to prevent a process from opening another process with various rights.

Imagine you have a scenario where ProcessA wants to inject something into ProcessB via some sort of CreateRemoteThread/ReadWriteProcessMemory manipulation.

ProcessA:

OpenProcess(ProcessB, PROCESS_VM_...);

YouDriverObCallbackRoutine() {
   Check if ProcessA should have access it asks for ProcessB.
   If not you can simply strip away the access and return.
}

This will result in ProcessA having a handle without those rights to ProcessB.

Now when ProcessA tries to call

  • CreateRemoteThread
  • ReadProcessMemory
  • WriteProcessMemory

on ProcessB, the system will deny the access as the handle does not have those rights anymore (you stripped them in your Ob callback).

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
Gabriel Bercea
  • 1,191
  • 1
  • 10
  • 21
  • ObCallBacks are not enough. For example, SetWindowsHookEx() will completely ignore the callbacks. – Mecanik Jun 12 '21 at 09:36