Add driver load interception #19
Comments
|
how would we determine that the certificate is leaked we would need to maintain an own list of untrusted certificates. Also msft does that already if you enable the driver blacklist under security, device security, "The vulnerable driver blocklist" I think this should be good enough, also you can add additional restrictions using a CI policy at boot time, I may add a mechanism to make using this OS feature simpler with a GUI. |
|
I mean filter the service setup requests.When any executable tries to install a new driver service,we prompt to users. |
|
There is no callback for that AFAIK so we would need to inject our dll into all windows processes, what IMHO should not be the default. |
|
Or just use PsSetLoadImageNotifyRoutine |
|
That brings us back to how to determine if a driver can be trusted, but i guess we could use a whitelist approach and then when a driver that was set as filter fails to load the system wont boot the next time LOL |
Sometimes, malicious programs will sign a driver with a leaked but not yet revoked certificate and load it, bypassing MP protection at the kernel level. Even if the CA reacts instantly, the data theft becomes a fait accompli. To prevent this, I'd suggest MP add a module load callback to mitigate this possibility.
The text was updated successfully, but these errors were encountered: