What Windows kernel API calls are available from a Windows File System Filter Driver (minifilter driver) that allow the driver to change the privilege level to/from SYSTEM/Administrator for a process that was intercepted by the File System Filter Driver when loading the EXE?
How to change a Process' Privilege Level inside of a Windows File Filter Driver (minifilter driver)?
Asked
Active
Viewed 50 times
0
-
Why would a file system thing change a user/token thing? – Anders Jun 22 '22 at 17:12
-
@Anders cybersecurity vendors assigned altitudes in the FSFilter Anti-Virus range use the minifilter driver to intercept the launching of executable files by Windows to determine whether the executable should be allowed or blocked based on a policy. [Minifilter Assigned Altitudes](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes), see 320000 - 329998: FSFilter Anti-Virus Altitude range. If there is an API available to the minifilter driver to change the privilege level, then the executable could be launched at either a higher or lower privilege level. – Zig Shanklin Oct 14 '22 at 21:09