An enhanced mechanism for secure volume #38
Description
Disclaimer: Obviously, there is no point in trying to confront the drivers of malicious programs. However, there are some "legitimate" software that loads drivers to perform certain functions under the guise of a legitimate name. Software such as game anti-cheat will use drivers to access user files. Naturally, Microsoft doesn't issue signatures for drivers who are preoccupied with kernel-layer battles, but we also need to guard against these so-called legitimate programs accessing our files in the usual way.
If the secure disk allows all IRPs directly from the driver layer, then we need this mechanism; otherwise, we do not need it.
An enhanced mechanism can be provided to improve the security of the secure disk. A DLL is injected at the user level into the process authorized to access the disk located in the Secure Enclave. The system call level function ZwCreateFile is hooked, and a channel is established between the driver and the user layer.
The driver maintains a variable representing 'accessibility' for each secure volume. When a program plans to access data on the secure disk, the user layer notifies the driver to set the variable value to 'true', and after the access is complete, it sets it to 'false'. The driver then denies all MJ_CREATE IRP requests when the variable value is false.