REMOTE IP FROM ECP

Hi All,

I am trying to get the IP address from the ECP with GUID “GUID_ECP_SRV_OPEN” in POST CREATE, when I got “SecurityImpersonation == Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel” and system process Id, I assume the file was accessed from SRV, then I go to check the ECP, I can get the ip address sometime, but most of the time it will fail with error code “STATUS_NOT_FOUND” with the function “FltFindExtraCreateParameter”.

I am only testing with SMB.

Anyone knows why I can’t get the ip address all the time?

Thanks
Ben

I am trying to get the IP address from the ECP with GUID “GUID_ECP_SRV_OPEN”
in POST CREATE,

when I got “SecurityImpersonation ==
Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel”
and system process Id, I assume the file was accessed from SRV

That’s a dangerous assumption. Anybody is allowed to impersonate. Also
last time I checked SRV didn’t always impersonate.

then I go to check the ECP, I can get the ip address sometime, but most of
the time it will fail with error
code “STATUS_NOT_FOUND” with the function “FltFindExtraCreateParameter”.

Obvious question - if you break in that situation, is SRV on the stack?

Anyone knows why I can’t get the ip address all the time?

Is this on the same machine? Anecdotally a registry setting is (used to
be?) needed

http://www.osronline.com/showThread.cfm?link=212938

Thanks Rod,

What is the best way to check if it is accessed from remote computer?

when it was failed with function “FltFindExtraCreateParameter”, the SRV is on my stack as below.

I also set the registry key as you mentioned.

02 ffffae80af0e3830 fffff8031f86abcf MyFilter!PostCreate+0x128
03 ffffae80af0e3890 fffff8031f815cd4 FLTMGR!FltvPostOperation+0xaf
04 ffffae80af0e3920 fffff8031f815683 FLTMGR!FltpPerformPostCallbacks+0x2f4
05 ffffae80af0e39f0 fffff8031f81726a FLTMGR!FltpPassThroughCompletionWorker+0x73
06 ffffae80af0e3a60 fffff8031f84bbcd FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1ba
07 ffffae80af0e3ad0 fffff80147f5c4aa FLTMGR!FltpCreate+0x2dd
08 ffffae80af0e3b80 fffff80148629d29 nt!IopfCallDriver+0x56
09 ffffae80af0e3bc0 fffff80147fd45b9 nt!IovCallDriver+0x275
0a ffffae80af0e3c00 fffff801482efbe3 nt!IofCallDriver+0x185859
0b ffffae80af0e3c40 fffff801483a0007 nt!IopParseDevice+0x773
0c ffffae80af0e3e10 fffff801482dc2ab nt!IopParseFile+0xc7
0d ffffae80af0e3e80 fffff801482edd1f nt!ObpLookupObjectName+0x73b
0e ffffae80af0e4060 fffff80148353805 nt!ObOpenObjectByNameEx+0x1df
0f ffffae80af0e41a0 fffff80148355c7a nt!IopCreateFile+0x3f5
10 ffffae80af0e4240 fffff8032270919c nt!IoCreateFile+0x8a
11 ffffae80af0e42d0 fffff8032270091a srv2!Smb2IsAccessAllowedEx+0xf8
12 ffffae80af0e43b0 fffff803226efafa srv2!Smb2CheckAbeError+0x112
13 ffffae80af0e4450 fffff803226dabbf srv2!Smb2CreateFile+0x1452a
14 ffffae80af0e4c90 fffff803226df58c srv2!Smb2ExecuteCreateReal+0x18f
15 ffffae80af0e4e00 fffff803226de1f6 srv2!Smb2ExecuteCreate+0x3c
16 ffffae80af0e4e40 fffff803226dda0a srv2!Smb2ExecuteProviderCallback+0x66
17 ffffae80af0e4ea0 fffff803226dcb88 srv2!Srv2CallProviders+0x9a
18 ffffae80af0e4ee0 fffff80147fa1167 srv2!RfspThreadPoolNodeWorkerProcessWorkItems+0x218

Hi Ben,

What is the best way to check if it is accessed from remote computer?
when it was failed with function “FltFindExtraCreateParameter”, the SRV
is on my stack as below.

That’s exactly what I would do.

I don’t suppose there are an MSDevs listening right now?

I should note that I put in a documentation comment into github about the
registry setting being missed on at [1]

Rod

[1]
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-ntifs-_srv_open_ecp_context