1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to a system and method of monitoring and controlling access to objects.
2. Description of the Related Art
In the Windows® operating system, virtually everything is represented as an object in kernel mode. For example, files, devices, synchronization mechanisms, registry keys, threads, drivers, processes, modules, sections of memory, name pipes, mailslot, access tokens, and LPC ports are all represented as objects in kernel mode.
Access of a particular object to a particular user mode process is determined using a Windows® access control list (ACL). Specifically, when a user mode process opens or creates a resource, the object manager uses the Windows® access control list to determine if the user mode process has permission to get a handle.
If the user mode process has permission, the user mode processes receives a handle. Conversely, if the user mode process does not have permission, the user mode process is denied a handle. Without a handle, the user mode process is denied access to the object.
The user mode process is either granted complete access to the object or completely denied access. Accordingly, if granted access, the user mode process, for example, malicious code, is unrestricted as to the modifications or manipulations of the object.