Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

check authenticity of the process from file system mini filter driver

vidhyavidhya Member - All Emails Posts: 102
I am using the IoThreadToProcess call along with other calls like
typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process);
GET_PROCESS_IMAGE_NAME gGetProcessImageFileName;

to get the process name from my file system minifilter driver.
This I do to allow access only to my process and block for other unknown process..I am checking the process name for the same.
If somebody changes the name of their process with my product's service name then they will be able to access my files.so now I wanted to check the authenticity of the process from my mini filter driver. Is there a way I can know the authenticity of the process from my file system mini filter driver.
like check its properties or how to go about this.
any help would be very useful

vidhya

Comments

  • Shaarang_TyagiShaarang_Tyagi Member - All Emails Posts: 13
    You can read the legitimate process image (e.g contents of the .exe file)
    from the disk and calculate a SHA-256 hash and store it somewhere.
    And then everytime you want to allow\disallow a process do the same and
    match the hash with the stored one , if it matches then it should be
    allowed otherwise disallowed.

    On Mon, Mar 5, 2018 at 11:13 AM, xxxxx@yahoo.co.in <
    xxxxx@lists.osr.com> wrote:

    > I am using the IoThreadToProcess call along with other calls like
    > typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process);
    > GET_PROCESS_IMAGE_NAME gGetProcessImageFileName;
    >
    > to get the process name from my file system minifilter driver.
    > This I do to allow access only to my process and block for other unknown
    > process..I am checking the process name for the same.
    > If somebody changes the name of their process with my product's service
    > name then they will be able to access my files.so now I wanted to check the
    > authenticity of the process from my mini filter driver. Is there a way I
    > can know the authenticity of the process from my file system mini filter
    > driver.
    > like check its properties or how to go about this.
    > any help would be very useful
    >
    > vidhya
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Juan_Antonio_BarrigasJuan_Antonio_Barrigas Member - All Emails Posts: 18
    Calculating the SHA-256 for every operation to check who is performing it is not an option. Anyway, process hollowing techniques could be used to fool your driver.

    I think a better option is to use FltCreateCommunicationPort in the driver and then connect to that port from your user-mode service. You would force just one connection at a time. When your user-mode service connects, the driver saves the connected process's pid and then you can check that value in any minifilter callback without performance loss.
  • vidhyavidhya Member - All Emails Posts: 102
    Thanks Shaarang and Antonio for the inputs.

    Hi Antonio,

    Regarding FltCreateCommunicationPort, I currently have a port opened in my driver and is connected to one user-mode service. I have forced the max connection to 1 at a time. But I have to allow access to my files from few of my product service, not a single service.
    atleast 4 to 5 process has to access my files. Rest all I should block.

    If my understanding is correct once I connect to the driver from user mode service using FilterConnectCommunicationPort, I can pass all my products process IDs thru the port. so the driver will understand that it has got these process IDs from a legitimate process.
    Once I receive all the process IDs I can check the value of it in all my minifilter callbacks.

    Is my understanding correct?
  • Juan_Antonio_BarrigasJuan_Antonio_Barrigas Member - All Emails Posts: 18
    Yes, I think this is a way to go. Still, some illegitimate process could try to inject code into your services, but this is a larger topic, something you might want to worry about progressively. Having your services run as protected processes is probably the best option, but it is something I haven't tried myself and I think you need to have a ELAM driver, have all your binaries properly signed, etc...
  • vidhyavidhya Member - All Emails Posts: 102
    I think this is a way to go. Still, some illegitimate process could try to
    inject code into your services, but this is a larger topic, something you might
    want to worry about progressively.

    >>Is this what you were talking when you said about process hollowing? Even if I go with the FltCreateCommunicationPort approach I guess hackers can fool my driver with process hollowing technique. Am I right in my understanding?

    why should I have a ELAM driver? Could you please elaborate on that.

    My guess first I can target in having my services which access the files as protected by checking on process ID, then I can build on it progressively as suggested.
  • vidhyavidhya Member - All Emails Posts: 102
    Thanks for the link...I am going thru it.

    Vidhya
  • vidhyavidhya Member - All Emails Posts: 102
    Just a doubt.
    Address space layout randomization..I have enabled this in all my projects.
    wont this help from process hollowing?
  • Alex_CraneAlex_Crane Member Posts: 8
    Similar to message #3 I would suggest the user mode service pass a list of accepted PIDs down to your minifilter (FilterSendMesage) and you compare the PIDs - anything else is far too slow. The user mode service can conduct process authenticity checks in userland which should be much easier - you can do something involving SHA hashes, or perhaps binary signing.

    If you really must do it driver only, look into https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex though be careful as PCREATE_PROCESS_NOTIFY_ROUTINE_EX is limited to safe calls. On process start determine if it's one of your processes, and then whitelist the PID.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!