Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

REMOTE IP FROM ECP

ben_tsangben_tsang Posts: 52
Hi All,

I am trying to get the IP address from the ECP with GUID "GUID_ECP_SRV_OPEN" in POST CREATE, when I got "SecurityImpersonation == Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel" and system process Id, I assume the file was accessed from SRV, then I go to check the ECP, I can get the ip address sometime, but most of the time it will fail with error code "STATUS_NOT_FOUND" with the function "FltFindExtraCreateParameter".

I am only testing with SMB.

Anyone knows why I can't get the ip address all the time?

Thanks
Ben

Comments

  • rod_widdowsonrod_widdowson Posts: 941
    I am trying to get the IP address from the ECP with GUID "GUID_ECP_SRV_OPEN"
    in POST CREATE,

    > when I got "SecurityImpersonation ==
    > Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel"
    > and system process Id, I assume the file was accessed from SRV

    That's a dangerous assumption. Anybody is allowed to impersonate. Also
    last time I checked SRV didn't always impersonate.

    > then I go to check the ECP, I can get the ip address sometime, but most of
    > the time it will fail with error
    > code "STATUS_NOT_FOUND" with the function "FltFindExtraCreateParameter".

    Obvious question - if you break in that situation, is SRV on the stack?

    > Anyone knows why I can't get the ip address all the time?

    Is this on the same machine? Anecdotally a registry setting is (used to
    be?) needed

    http://www.osronline.com/showThread.cfm?link=212938
  • ben_tsangben_tsang Posts: 52
    Thanks Rod,

    What is the best way to check if it is accessed from remote computer?

    when it was failed with function "FltFindExtraCreateParameter", the SRV is on my stack as below.

    I also set the registry key as you mentioned.

    02 ffffae80`af0e3830 fffff803`1f86abcf MyFilter!PostCreate+0x128
    03 ffffae80`af0e3890 fffff803`1f815cd4 FLTMGR!FltvPostOperation+0xaf
    04 ffffae80`af0e3920 fffff803`1f815683 FLTMGR!FltpPerformPostCallbacks+0x2f4
    05 ffffae80`af0e39f0 fffff803`1f81726a FLTMGR!FltpPassThroughCompletionWorker+0x73
    06 ffffae80`af0e3a60 fffff803`1f84bbcd FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1ba
    07 ffffae80`af0e3ad0 fffff801`47f5c4aa FLTMGR!FltpCreate+0x2dd
    08 ffffae80`af0e3b80 fffff801`48629d29 nt!IopfCallDriver+0x56
    09 ffffae80`af0e3bc0 fffff801`47fd45b9 nt!IovCallDriver+0x275
    0a ffffae80`af0e3c00 fffff801`482efbe3 nt!IofCallDriver+0x185859
    0b ffffae80`af0e3c40 fffff801`483a0007 nt!IopParseDevice+0x773
    0c ffffae80`af0e3e10 fffff801`482dc2ab nt!IopParseFile+0xc7
    0d ffffae80`af0e3e80 fffff801`482edd1f nt!ObpLookupObjectName+0x73b
    0e ffffae80`af0e4060 fffff801`48353805 nt!ObOpenObjectByNameEx+0x1df
    0f ffffae80`af0e41a0 fffff801`48355c7a nt!IopCreateFile+0x3f5
    10 ffffae80`af0e4240 fffff803`2270919c nt!IoCreateFile+0x8a
    11 ffffae80`af0e42d0 fffff803`2270091a srv2!Smb2IsAccessAllowedEx+0xf8
    12 ffffae80`af0e43b0 fffff803`226efafa srv2!Smb2CheckAbeError+0x112
    13 ffffae80`af0e4450 fffff803`226dabbf srv2!Smb2CreateFile+0x1452a
    14 ffffae80`af0e4c90 fffff803`226df58c srv2!Smb2ExecuteCreateReal+0x18f
    15 ffffae80`af0e4e00 fffff803`226de1f6 srv2!Smb2ExecuteCreate+0x3c
    16 ffffae80`af0e4e40 fffff803`226dda0a srv2!Smb2ExecuteProviderCallback+0x66
    17 ffffae80`af0e4ea0 fffff803`226dcb88 srv2!Srv2CallProviders+0x9a
    18 ffffae80`af0e4ee0 fffff801`47fa1167 srv2!RfspThreadPoolNodeWorkerProcessWorkItems+0x218
  • rod_widdowsonrod_widdowson Posts: 941
    Hi Ben,

    > What is the best way to check if it is accessed from remote computer?
    > when it was failed with function "FltFindExtraCreateParameter", the SRV
    > is on my stack as below.

    That's exactly what I would do.

    I don't suppose there are an MSDevs listening right now?

    I should note that I put in a documentation comment into github about the
    registry setting being missed on at [1]

    Rod

    [1]
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-ntifs-_srv_open_ecp_context
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!