Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to get driver information from IRP

Cecilia_wllCecilia_wll Member Posts: 11

Hi.
I wrote a minifilter to filter some operations on a folder. I want pass the operation from my drivers and stop the operation from untrusted program.
However, I can't get some information to determine if the IRP came from my drivers. I can get the process information. But when the operation came from driver, the process's information can help me to determine where the IRP really came from.
Any guidance would be helpful. Thanks.

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,072
    edited October 9

    If it’s a create use an ECP, otherwise there is no generic way. I’m assuming that internal ioctls don’t help? They are the canonical mechanism for driver to driver communication.

  • Cecilia_wllCecilia_wll Member Posts: 11

    @rod_widdowson said:
    If it’s a create use an ECP, otherwise there is no generic way. I’m assuming that internal ioctls don’t help? They are the canonical mechanism for driver to driver operation.

    I think it's not about driver to driver operation. The situation is that my driver will do something to the folder which is protect by the minifilter.what I want the minifilter do is allowed the operation from my drivers.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,072

    I think we may have a terminology problem. When I say driver I mean a kernel component (as in "Minifilter Driver" or "Device Driver").
     
    Do you mean some user mode application?
     
    If so doesn't CallBackData->Thread (and thence PsGetThreadProcess) do what you want? You'll need a secure way of establishing the user processes information but that's a given anyway.

  • Cecilia_wllCecilia_wll Member Posts: 11

    @rod_widdowson said:
    I think we may have a terminology problem. When I say driver I mean a kernel component (as in "Minifilter Driver" or "Device Driver").
     
    Do you mean some user mode application?
     
    If so doesn't CallBackData->Thread (and thence PsGetThreadProcess) do what you want? You'll need a secure way of establishing the user processes information but that's a given anyway.

    I also think driver means a kernel component.
    Sorry. Maybe my explanation is not accurate enough or I didn't understand you well. Let me describe in detail.

    I am writing a minifilter which will filter the operation on a folder I specified. I don't want people or untrusted program to read/write/delete the folder or something in the folder.
    But some of my drivers need to write the text in the folder. And I need the minifilter to pass this type of operations.
    What I can't figure out is how I know the operation is from my drivers. Is there any information in the IRP that can help me judge?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    You plan to block the operation at CreateFile time, yes?

    Perhaps you can use the RequestorMode to determine if the Create is coming from user mode or kernel mode?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Cecilia_wllCecilia_wll Member Posts: 11

    @Peter_Viscarola_(OSR) said:
    You plan to block the operation at CreateFile time, yes?

    Perhaps you can use the RequestorMode to determine if the Create is coming from user mode or kernel mode?

    Peter

    Actually, I plan to block all the operation including Create/Read/Write/Delete as long as the operation came from untrusted objects.
    But your suggestion get me a good idea. I will try it. Thank you Peter.

    Based on the solution, there are another issue here. Someone who write a driver can pass my minifilter, even though I didn't agree with his permissions.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,072

    In addition to what Peter says, if you own the create you use an ECP to say ‘it’s me’. After that because you know the file object you can set a flag on the StreamHandleContext.

    It’s when you are borrowing the file object that things get tricky, but if all your operations are on file objects your other drivers created it’s a lot easier...

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,072

    Also have you thought about doing it with ACLs and making your driver [s] impersonate your service when they do the create. At that stage all the work is done for you.

  • Mauro_LeggieriMauro_Leggieri Member Posts: 82

    Are you using ZwXXX api instead of FltXXX ones or a NULL instance?

    I ask this because usually you make operations by calling the filters below you and your driver does not see these ops.

  • Cecilia_wllCecilia_wll Member Posts: 11

    @Mauro_Leggieri said:
    Are you using ZwXXX api instead of FltXXX ones or a NULL instance?

    Yes, I use ZwXX in my drivers and the filter can catch the operation.

  • Cecilia_wllCecilia_wll Member Posts: 11

    @rod_widdowson:
    Thank you for your response.
    I am a newcomer to writing drivers that I can't understand all your words.
    here are some of my questions and explanation.

    1.

    if you own the create you use an ECP to say ‘it’s me’.
    Also have you thought about doing it with ACLs...

    What's ECP and ACL? Is ACL means 'anterior cruciate ligament'?

    2.

    If you own the create you use an ECP to say ‘it’s me’. After that because you know the file object you can set a flag on the StreamHandleContext.

    What do you mean in the sentence is whether to set a tag on drivers or on file?
    If on drivers, can I get the tag in the minifilter?
    If on file, it doesn't help me to determine where the ops come from, right?

    3.

    if all your operations are on file objects your other drivers created it’s a lot easier...

    The file objects is not all created by my drivers, some of them are existed at the beginning.
    My driver will created some file and also need to work with existing files.

    Thank you again.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,072

    A acl is a Acesss Control List see also this link.

    ECP is an Extra Create Parameter

    If on drivers, can I get the tag in the minifilter?
    If on file, it doesn't help me to determine where the ops come from, right?

    Neither its on the HANDLE (hence my comment

    After that because you know the file object you can set a flag on the StreamHandleContext.

    The file objects is not all created by my drivers, some of them are existed at the beginning.

    This is the most challenging case, but I suggest you start with some more background research before we go down this rabbit hole

    I am a newcomer to writing drivers

    I cannot recommend strongly enough that you tell your management that you need training. Writing windows device drivers is very challenging. Write file system filters takes that to another level. Our worthy list hosts do an excellent course.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    ACL means 'anterior cruciate ligament'

    Yes. Definitely.

    http://letmegooglethat.com/?q=ACL+Windows

    P

    Peter Viscarola
    OSR
    @OSRDrivers

  • Cecilia_wllCecilia_wll Member Posts: 11

    Thank you Peter. Thank you Rod. Thank you for your suggestion and sharing.

    I will take Peter's advice to use RequestorMode and pass all the ops from kernel mode.
    I will also learn the methods you tell me. Hope I can master it in the future.

  • Mauro_LeggieriMauro_Leggieri Member Posts: 82

    @Cecilia_wll said:

    @Mauro_Leggieri said:
    Are you using ZwXXX api instead of FltXXX ones or a NULL instance?

    Yes, I use ZwXX in my drivers and the filter can catch the operation.

    Then I recommend to switch to FltXXX unless you need to send requests to the top. In that case add the ECP's to identify your own calls.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE