[Sagaantheepic]

well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!

[tangptr]

The most "quick-and-dirty" way is to load a test-signed-only driver for detection.
In addition, 32-bit NT6 system do have DSE. It is disabled on default, but you may dynamically enable it by patching "Code-Integrity Driver".

[Sagaantheepic]

ahhhh. is there any other way to do it via kernel? there has to be something.

[Vrtule]

even though 32 bit doesnt have DSE

It is still good to have your 32-bit driver binary signed in order to avoid troubles witch routines such as ObRegisterCallbacks or PsSetCreateProcessNotifyRoutineEx. They can be called even from an unsigned driver but it is quite a dirty hack.

if there are ways of maybe checking for loaded driver's digital signatures

Well, you need to find driver's file and check its signature (WinVerifyTrust may be helpful). As far as I know, this cannot be simply done from kernelmode, so you would need a service collaborating closely with your driver. You probably should be able to launch it as a protected process if you sign it by your certificate.

[tangptr]

I shall emphasize that THERE IS DSE component on 32-bit Windows, albeit it is disabled at kernel initialization.
Therefore, you may enable DSE in 32-bit Windows by hacking "Code-Integrity driver". It can be done by ways in opposite of disabling DSE on Win64.

[EP_X0FF]

well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!

You can detect Test Mode by calling ZwQuerySystemInformation with SystemCodeIntegrityInformation flag and check returned flags in SYSTEM_CODEINTEGRITY_INFORMATION.state to have CODEINTEGRITY_OPTION_ENABLED and CODEINTEGRITY_OPTION_TESTSIGN. However this maybe unavailable on old Windows versions.

[Sagaantheepic]

Any other ways?

[EP_X0FF]

All other ways are stupid.