Thanks for replies. I think I did not clarify an important point about this topic, I don’t want to prevent anyone from sending IOCTLs to my driver, since I think it’s impossible, any process with enough privileges or running as SYSTEM can make modifications in the system or impersonate my service, the most important point is to prevent anyone from using my driver, for example if it does some “dangerous” function that can be abused by an attacker, say if I am writing a firewall solution, my service may send an IOCTL to block all outgoing connections, so if anyone takes my driver, it could abuse this functionality. How do I prevent this? All these methods can be easily bypassed:
- Preventing multiple instances or any kind of prevention of opening a handle to the device / object.
- Checking PID
- Checking process / file integrity
- Creating dedicated user account