Im trying to block .dll injection (or general injection) into a specific process via a Minifilter
This is my PreOperationCallback:
if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) { /* Open file for writing/appending? */ if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & PAGE_EXECUTE) == PAGE_EXECUTE) { if (security) { DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n"); Data->IoStatus.Status = STATUS_ACCESS_DENIED; return FLT_PREOP_COMPLETE; } } if ((Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_EXECUTE) == FILE_EXECUTE) { if (security) { DbgPrint("[ miniFilter ] [IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION] [ Blocked ]\n"); Data->IoStatus.Status = STATUS_ACCESS_DENIED; return FLT_PREOP_COMPLETE; } } }}According to other Forums IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION will be called on DLL Injection!I have also tried "IRP_MJ_CREATE" but then I am also blocking any execution of .exe files. Filtering the file extension could be easily bypassed...
I hope somebody knows more about it ;)