Hello FSD Forum,
Would anyone be able to perhaps shed some insight on this [hopefully] interesting question, please:
I am writing an FSD filter driver, and all is working fine.
I can detect remote access IRPs through a combination of techniques described elsewhere on this site (e.g. detect system process, token impersonation etc.)
What I'm trying to find out is if there is anywhere stored the machine name/ip address/netbios name of the machine that initiated the request (if it's a local access, it's a moot point really, only useful for remote accesses).
I have retrieved the (Client) Access Token from the IRP_MJ_CREATE message, but I can't see if/where the remote machine name/address details are stored.
I could enumerate LSA sessions up in user mode for the given LUID, but this is inefficient at best, and potentially can give incorrect results if the same user is logged on from multiple remote points.
Another somewhat 'heavyweight' technique would be to maintain my own logon session table using an SSPI or similar DLL.
Has anyone come across this issue and been able to find remote machine name/address details for IRP_MJ_CREATE requests initiated from a remote machine?