Securing Application Execution with a Custom Minifilter Driver

Client Overview

Our client, a Germany-based cybersecurity solutions provider, focuses on delivering advanced technologies to protect intellectual property and prevent unauthorized software execution. Their target customers are enterprises requiring strict control over how sensitive applications and executables are distributed, installed, and executed within corporate environments.

Business Challenge

The client wanted to enforce strict execution control for Windows applications. Standard approaches could not achieve the required level of security, which involved:

• Allowing only authorized processes to run decrypted application executables.
• Ensuring any unauthorized attempt (e.g., via Explorer or command line) would only access the encrypted version.
• Automatically encrypting all executables written by an installer to prevent tampering or unauthorized usage.
• Decrypting files only when executed by a specific trusted launcher process.

The challenge was that Windows did not provide native mechanisms to filter and transparently control file access based on process ID and file path context, requiring a low-level custom solution.

VoidStarIndia’s Expertise

• Deep expertise in Windows internals and kernel-mode development.
• Proven track record of delivering file system minifilter drivers.
• Experience integrating kernel drivers with user-mode applications in C# for flexible policy enforcement.

Our Solution

VoidStarIndia designed and implemented a custom minifilter driver combined with a C# user-mode management application. Key aspects included:

1. Process-Aware File Decryption

• The driver provided a filtered view of the file system based on process ID and file/folder paths.
• Legitimate processes launching encrypted applications were shown the decrypted version for execution.
• Unauthorized processes only saw the encrypted form of the executable.

2. On-the-Fly Encryption of Installers

• During software installation, all .exe files written by installers were encrypted in real time.
• These files could only be decrypted and executed later when launched by the approved application.

3. Secure Execution Workflow

• Downloaded installers (e.g., setup.exe) were decrypted only when executed by the designated launcher process.
• All resulting executables from the installation process were encrypted, preserving a locked-down environment.

4. C# User-Mode Integration

• All driver decisions and events were forwarded to a C# client application via the minifilter communication port.
• This enabled the client to manage policies, monitor execution, and control encryption/decryption behavior in real time.

Outcome

• Delivered a robust execution control mechanism that enforced strict security policies without disrupting end-user workflows.
• Protected sensitive executables from unauthorized copying, tampering, or execution.
• Helped the client strengthen their intellectual property protection strategy and offer a differentiated cybersecurity product to their customers.