I made a desktop application in C# and a kernel driver for Windows (mostly targeted at Windows 10 and 11). Now my goal is to sell these two, but I am wondering on ways to harden against piracy. I understand and have done many things to harden my desktop application from encryption to server checks, to making it very challenging to reverse engineer etc. Really it all seems extremely hard to bypass but it's not impossible since users with enough time and expertise could potentially recreate the process after removing my validation checks. This is why I want to leverage my kernel driver to play a role in mitigating piracy sort of like how video game anti-cheat try to prevent modifying the client. This is because my driver is a key component for why people would buy my software and trying to hack a kernel driver is way more challenging than hacking a simple desktop application.
One key not here is that I am fairly sure Kernel drivers should not try to connect to anything over the web which I don't do. Anyways the point of this question is to try and seek a solution to verifying that my desktop application has not been modified from my kernel driver. Also, the way my application and driver communicate with each other is through IOCTL. Of course, I could do things like trying to strip permissions like READ and WRITE like anti-cheats do but I assume the most generic style of attack would be to just throw the exe into DnSpy and slowly try to reverse it and remove my protections before creating a new exe.
Of course, my driver and my application will be signed so one type of check would be to verify that the signature is valid. I could also try to take a hash of the file and verify that its valid sort of like a checksum, but I have no idea if this is even possible in the kernel. I also am not sure if it's even possible to view which process you are communicating with over IOCTL since I was told running the following inside an IOCTL queue will not always yield the client application.
PEPROCESS Process = NULL;
HANDLE ProcessId = PsGetCurrentProcessId(); // Gets the current process ID
if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &Process))) {
Really, I have no idea how one would verify any information about a client since getting the EPROCESS does nothing since Microsoft decided not to make any of its contents available through functions or by eve documenting the structure. I also bet manually documenting it for each version inside my kernel driver would not be advisable even though that would technically fix my problem. So, does anyone know how I could validate my client's authenticity from inside a kernel driver?