In terms of isolation, there are a lot of issues trying to hook into the
user level API. One that is very obvious is memory mapped files, it’s
hard to control this access unless you make copies when a file is opened
and redirect at that point but this can cause a serious amount of extra
overhead. Kernel mode isolation is the way to go, I wrote a series of
blog posts on this very thing, but it takes a long time to get right. As
well, OSR has a development kit that implements an isolation framework
and it’s kernel mode.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “Karrson Heumann”
To: “Windows File Systems Devs Interest List”
Sent: 8/26/2016 10:45:22 AM
Subject: Re: Re[2]: [ntfsd] How do I create a Windows Filesystem Filter
Driver?
>Thanks for the info! Maybe I’ll just hook into Win32 API calls instead.
>I think that would be much easier.
>
>On Fri, Aug 26, 2016 at 9:37 AM, PScott
>wrote:
>>
>>If you are starting from scratch, plan on a long development effort
>>(1+ years at a minimum, probably much longer) to reach your goals!
>>There are many hurdles to overcome in the virtualization effort you
>>are going after. Several members of this forum, myself included, have
>>or are on this path.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>www.KernelDrivers.com
>>866.263.9295
>>
>>
>>
>>------ Original Message ------
>>From: “Karrson Heumann”
>>To: “Windows File Systems Devs Interest List”
>>Sent: 8/26/2016 9:37:56 AM
>>Subject: Re: [ntfsd] How do I create a Windows Filesystem Filter
>>Driver?
>>
>>>Thanks! The reason I want to create a file system filter driver is so
>>>that later on I can use a library that I’ll make as well that will
>>>allow the developer to interact with the file system with even more
>>>options than what’s given to them by default. This means the
>>>developer could do more without creating a driver. Of course, in
>>>order for the library to do it’s job, it will interact with the
>>>filesystem filter driver. The big feature I want to add to this
>>>library is the ability to create rules for programs that will allow
>>>or deny their read or write access to certain parts of the computer.
>>>I will then use this library for a virtualization program that will
>>>allow you to run potentially malicious programs on a web server or on
>>>your own computer without having to create a new VM and then install
>>>an OS. Instead, you could use a very powerful container which
>>>ensures that the program won’t harm your computer. Plus, the
>>>container would be very light weight.
>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>analysis, WDF, Windows internals and software drivers! Details at To
>>>unsubscribe, visit the List Server section of OSR Online at
>>
>>—
>>NTFSD is sponsored by OSR
>>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at</http:></http:>
Thanks for letting me know! Can you please give me a link to those blog
posts? That would be awesome!
On Fri, Aug 26, 2016 at 9:54 AM, PScott wrote:
>
> In terms of isolation, there are a lot of issues trying to hook into the
> user level API. One that is very obvious is memory mapped files, it’s hard
> to control this access unless you make copies when a file is opened and
> redirect at that point but this can cause a serious amount of extra
> overhead. Kernel mode isolation is the way to go, I wrote a series of blog
> posts on this very thing, but it takes a long time to get right. As well,
> OSR has a development kit that implements an isolation framework and it’s
> kernel mode.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
>
>
> ------ Original Message ------
> From: “Karrson Heumann”
> To: “Windows File Systems Devs Interest List”
> Sent: 8/26/2016 10:45:22 AM
> Subject: Re: Re[2]: [ntfsd] How do I create a Windows Filesystem Filter
> Driver?
>
> Thanks for the info! Maybe I’ll just hook into Win32 API calls instead. I
> think that would be much easier.
>
> On Fri, Aug 26, 2016 at 9:37 AM, PScott wrote:
>
>>
>> If you are starting from scratch, plan on a long development effort (1+
>> years at a minimum, probably much longer) to reach your goals! There are
>> many hurdles to overcome in the virtualization effort you are going after.
>> Several members of this forum, myself included, have or are on this path.
>>
>> Pete
>>
>> –
>> Kernel Drivers
>> Windows File System and Device Driver Consulting
>> www.KernelDrivers.com
>> 866.263.9295
>>
>>
>>
>> ------ Original Message ------
>> From: “Karrson Heumann”
>> To: “Windows File Systems Devs Interest List”
>> Sent: 8/26/2016 9:37:56 AM
>> Subject: Re: [ntfsd] How do I create a Windows Filesystem Filter Driver?
>>
>> Thanks! The reason I want to create a file system filter driver is so
>> that later on I can use a library that I’ll make as well that will allow
>> the developer to interact with the file system with even more options than
>> what’s given to them by default. This means the developer could do more
>> without creating a driver. Of course, in order for the library to do it’s
>> job, it will interact with the filesystem filter driver. The big feature I
>> want to add to this library is the ability to create rules for programs
>> that will allow or deny their read or write access to certain parts of the
>> computer. I will then use this library for a virtualization program that
>> will allow you to run potentially malicious programs on a web server or on
>> your own computer without having to create a new VM and then install an
>> OS. Instead, you could use a very powerful container which ensures that
>> the program won’t harm your computer. Plus, the container would be very
>> light weight.
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
It’s here on his blog:
http://www.kerneldrivers.com/security-process-isolation/
Good luck !
Gabriel
www.kasardia.com
Windows Kernel Driver Consulting
On Fri, Aug 26, 2016 at 8:14 PM, Karrson Heumann wrote:
> Thanks for letting me know! Can you please give me a link to those blog
> posts? That would be awesome!
>
> On Fri, Aug 26, 2016 at 9:54 AM, PScott wrote:
>
>>
>> In terms of isolation, there are a lot of issues trying to hook into the
>> user level API. One that is very obvious is memory mapped files, it’s hard
>> to control this access unless you make copies when a file is opened and
>> redirect at that point but this can cause a serious amount of extra
>> overhead. Kernel mode isolation is the way to go, I wrote a series of blog
>> posts on this very thing, but it takes a long time to get right. As well,
>> OSR has a development kit that implements an isolation framework and it’s
>> kernel mode.
>>
>> Pete
>>
>> –
>> Kernel Drivers
>> Windows File System and Device Driver Consulting
>> www.KernelDrivers.com
>> 866.263.9295
>>
>>
>>
>> ------ Original Message ------
>> From: “Karrson Heumann”
>> To: “Windows File Systems Devs Interest List”
>> Sent: 8/26/2016 10:45:22 AM
>> Subject: Re: Re[2]: [ntfsd] How do I create a Windows Filesystem Filter
>> Driver?
>>
>> Thanks for the info! Maybe I’ll just hook into Win32 API calls instead. I
>> think that would be much easier.
>>
>> On Fri, Aug 26, 2016 at 9:37 AM, PScott wrote:
>>
>>>
>>> If you are starting from scratch, plan on a long development effort (1+
>>> years at a minimum, probably much longer) to reach your goals! There are
>>> many hurdles to overcome in the virtualization effort you are going after.
>>> Several members of this forum, myself included, have or are on this path.
>>>
>>> Pete
>>>
>>> –
>>> Kernel Drivers
>>> Windows File System and Device Driver Consulting
>>> www.KernelDrivers.com
>>> 866.263.9295
>>>
>>>
>>>
>>> ------ Original Message ------
>>> From: “Karrson Heumann”
>>> To: “Windows File Systems Devs Interest List”
>>> Sent: 8/26/2016 9:37:56 AM
>>> Subject: Re: [ntfsd] How do I create a Windows Filesystem Filter Driver?
>>>
>>> Thanks! The reason I want to create a file system filter driver is so
>>> that later on I can use a library that I’ll make as well that will allow
>>> the developer to interact with the file system with even more options than
>>> what’s given to them by default. This means the developer could do more
>>> without creating a driver. Of course, in order for the library to do it’s
>>> job, it will interact with the filesystem filter driver. The big feature I
>>> want to add to this library is the ability to create rules for programs
>>> that will allow or deny their read or write access to certain parts of the
>>> computer. I will then use this library for a virtualization program that
>>> will allow you to run potentially malicious programs on a web server or on
>>> your own computer without having to create a new VM and then install an
>>> OS. Instead, you could use a very powerful container which ensures that
>>> the program won’t harm your computer. Plus, the container would be very
>>> light weight.
>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>> visit the List Server section of OSR Online at
>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>
>>
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
>
–
Bercea. G.</http:></http:>
Thanks!
On Fri, Aug 26, 2016 at 11:42 AM, Gabriel Bercea wrote:
> It’s here on his blog: http://www.kerneldrivers.com/
> security-process-isolation/
> Good luck !
>
> Gabriel
> www.kasardia.com
> Windows Kernel Driver Consulting
>
> On Fri, Aug 26, 2016 at 8:14 PM, Karrson Heumann
> wrote:
>
>> Thanks for letting me know! Can you please give me a link to those blog
>> posts? That would be awesome!
>>
>> On Fri, Aug 26, 2016 at 9:54 AM, PScott wrote:
>>
>>>
>>> In terms of isolation, there are a lot of issues trying to hook into the
>>> user level API. One that is very obvious is memory mapped files, it’s hard
>>> to control this access unless you make copies when a file is opened and
>>> redirect at that point but this can cause a serious amount of extra
>>> overhead. Kernel mode isolation is the way to go, I wrote a series of blog
>>> posts on this very thing, but it takes a long time to get right. As well,
>>> OSR has a development kit that implements an isolation framework and it’s
>>> kernel mode.
>>>
>>> Pete
>>>
>>> –
>>> Kernel Drivers
>>> Windows File System and Device Driver Consulting
>>> www.KernelDrivers.com
>>> 866.263.9295
>>>
>>>
>>>
>>> ------ Original Message ------
>>> From: “Karrson Heumann”
>>> To: “Windows File Systems Devs Interest List”
>>> Sent: 8/26/2016 10:45:22 AM
>>> Subject: Re: Re[2]: [ntfsd] How do I create a Windows Filesystem Filter
>>> Driver?
>>>
>>> Thanks for the info! Maybe I’ll just hook into Win32 API calls instead.
>>> I think that would be much easier.
>>>
>>> On Fri, Aug 26, 2016 at 9:37 AM, PScott
>>> wrote:
>>>
>>>>
>>>> If you are starting from scratch, plan on a long development effort (1+
>>>> years at a minimum, probably much longer) to reach your goals! There are
>>>> many hurdles to overcome in the virtualization effort you are going after.
>>>> Several members of this forum, myself included, have or are on this path.
>>>>
>>>> Pete
>>>>
>>>> –
>>>> Kernel Drivers
>>>> Windows File System and Device Driver Consulting
>>>> www.KernelDrivers.com
>>>> 866.263.9295
>>>>
>>>>
>>>>
>>>> ------ Original Message ------
>>>> From: “Karrson Heumann”
>>>> To: “Windows File Systems Devs Interest List”
>>>> Sent: 8/26/2016 9:37:56 AM
>>>> Subject: Re: [ntfsd] How do I create a Windows Filesystem Filter Driver?
>>>>
>>>> Thanks! The reason I want to create a file system filter driver is so
>>>> that later on I can use a library that I’ll make as well that will allow
>>>> the developer to interact with the file system with even more options than
>>>> what’s given to them by default. This means the developer could do more
>>>> without creating a driver. Of course, in order for the library to do it’s
>>>> job, it will interact with the filesystem filter driver. The big feature I
>>>> want to add to this library is the ability to create rules for programs
>>>> that will allow or deny their read or write access to certain parts of the
>>>> computer. I will then use this library for a virtualization program that
>>>> will allow you to run potentially malicious programs on a web server or on
>>>> your own computer without having to create a new VM and then install an
>>>> OS. Instead, you could use a very powerful container which ensures that
>>>> the program won’t harm your computer. Plus, the container would be very
>>>> light weight.
>>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>>> visit the List Server section of OSR Online at
>>>>
>>>>
>>>> —
>>>> NTFSD is sponsored by OSR
>>>>
>>>>
>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>> software drivers!
>>>> Details at http:
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>>
>>>
>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>> visit the List Server section of OSR Online at
>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>
>>
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>>
>
>
>
> –
> Bercea. G.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
></http:></http:>