Hello,
I have a filter driver based on Windows Filtering Platform (WFPSampler) which blocks the network traffic for all the process of system. But I want to block traffic only for those process which belongs to some local users. For this I want to get the SID of every process passing through my filter driver. So I want to ask that how to get the user SID in callout function in driver? Can i get this SID through FWPS_INCOMING_METADATA_VALUES structure or there is some other way to get that. I also used ZwQueryInformationToken() to get the SID. But it got fails everytime.
Reply as soon as possible.
Thank you.
I believe it depends what layer you are on at the moment. If you are in a flow established layer or similar then you could use the FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID to check if there is any data in the FWPS_INCOMING_VALUES pointer, something like this:
if ( inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID].value.tokenAccessInformation )
{
tokenAccessInformation = (PTOKEN_ACCESS_INFORMATION)
inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID].value.tokenAccessInformation->data;
}
Then you have a pointer to a TOKEN_ACCESS_INFORMATION structure from which you can extract the sid, something like:
if (tokenAccessInformation && tokenAccessInformation->SidHash )
{
if (tokenAccessInformation->SidHash->SidAttr)
{
PSID LocalUserId = tokenAccessInformation->SidHash->SidAttr->Sid;
}
}
There is also a field in the metadata pointer:
token: A handle for the token used to validate the permissions for the user. This member contains valid data only if the FWPS_METADATA_FIELD_TOKEN flag is set in the currentMetadataValues member.
You could I guess extract it from there as well.
Again it all depends when this happens so you have to read more documentation on where you are in the connection lifetime when you want to extract this information, because it is not available all the time.
Regards,
Gabriel Bercea
Windows Driver Consulting Services
www.kasardia.com
This type of information is only available at the stream layer, below
this layer, the information is lost. At this layer you can retrieve what
you need from the FWPS_INCOMING_METADATA_VALUES of your data indication
callback.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295
------ Original Message ------
From: xxxxx@dataresolve.com
To: “Windows File Systems Devs Interest List”
Sent: 4/13/2016 11:19:17 PM
Subject: [ntfsd] How to detect user sid from WFP sampler code while
blocking traffic on system.
>Hello,
>
>I have a filter driver based on Windows Filtering Platform (WFPSampler)
>which blocks the network traffic for all the process of system. But I
>want to block traffic only for those process which belongs to some
>local users. For this I want to get the SID of every process passing
>through my filter driver. So I want to ask that how to get the user SID
>in callout function in driver? Can i get this SID through
>FWPS_INCOMING_METADATA_VALUES structure or there is some other way to
>get that. I also used ZwQueryInformationToken() to get the SID. But it
>got fails everytime.
>
>Reply as soon as possible.
>
>Thank you.
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>