Com caller process

Scenario : out of proc com client calls into com server(we don’t own the server code), as a kernel driver(,we own the code) is it possible to find out the calling process? I know this is a bit of a generic problem description, but just trying to see if this can be done at all,?

The short answer is “no”. but I think you knew that. Even the COM server doesn’t necessarily know that. It’s just one endpoint of an RPC exchange.

Yes, I knew the short ans, but was hoping to get the long answer here I am sure someone has found a way…

If you’re not going to believe the answers, then I guess you shouldn’t ask the question. As I said, even the COM server itself would not have access to this information. The RPC layer uses a network port or a service to marshal data back and forth. That’s all hidden from the server, and the server even has access to symbols that you don’t.

Are you asking if it is possible for a kernel driver to somehow spy on an RPC exchange?

If so, the answer is surely yes. But I see no valid use for this kind of spying. Even if you are trying to fix some kind of security hole in software that you don’t control, you have no valid way to interact with that software that you don’t control. If you want help, i think you will have to explain more about what you are actually trying to achieve

@MBond2 said:
Are you asking if it is possible for a kernel driver to somehow spy on an RPC exchange?

If so, the answer is surely yes. But I see no valid use for this kind of spying. Even if you are trying to fix some kind of security hole in software that you don’t control, you have no valid way to interact with that software that you don’t control. If you want help, i think you will have to explain more about what you are actually trying to achieve

the requirements are just like I stated in the original post.
there are 3P client processes interacting with 3P COM servers, and some of those exchanges result in a call from the server into the kernel. We have a minifilter intercepting these calls. In general these are legitimate calls and we want to get out of the way ASAP, but in some cases, the client is a rogue app and the call it makes needs to be inspected. Since we have no way of knowing the legitimacy of this application before it uses the com server to make the call, we need a way to check if, from the server thread, in the kernel, we can back track to the client process, and inspect it.

If this is called ‘rpc spying’, then yes, I need a way to do that.

trying to see if this can be done at all

I don’t see how you could do this.

The interface mechanism between a COM client and server on the same machine is ALPC. Not only is this not documented, its implemented as its own set of system services. It’s not like there’s an ALPC driver for which you can write a filter.

So… As Mr. Roberts said, I think the answer is just “no.”

Peter

As I understand it, no this is not RPC spying. You have an RPC server that does not do adequate security of validation checks and proxies a call to your driver that causes a problem. And you want to fail or handle in some special way this ‘rogue’ call based on the ‘ultimate source’ of the call. The driver and driver stack are unspecified, but something that can be filtered with a minifilter right?

I still don’t understand the meaning of 3P in this context and which parts are running in KM vs UM and clearly not under which security contexts, but this is the best approximation I can devine from your description.

If I am wrong, please help me understand better your situation. If I am right, then you have a big problem. If you have a controlled system with a very exact knowledge of what can and will be running, than it will be possible to track down the information that you are looking for. but of course the fact of a controlled system almost precludes this ‘rogue’ process from existing. When I say controlled, think about the medical industry or traffic lights etc.

if you are trying to avoid a performance cost associated with checking every IRP for correctness, because you ‘know’ that only the ones that come from process X are malformed then my advice is to give up now. KM components need to do proper sanity checking on all data that they receive from UM regardless of whether it come from a ‘known good’ source or a ‘known bad’ source or otherwise. to any KM component, ALL UM components are untrustworthy at all times.

Are you asking if it is possible for a kernel driver to somehow spy on an RPC exchange?

IIRC, a call to COM server that runs on the same machine is done via so-called LPCs (i.e. local procedure calls), rather than RPC. Unlike RPC that runs over TCPIP transport (and, hence, is, indeed, perfectly visible to the kernel drivers), LPC run over the local port API. This API is totally undocumented (although Gary Nebbetts’s book provides some description of these calls), and is not exposed to the kernel drivers.

Therefore, unless you want to do something as outlandish as SSDT hooking, the fact of having an access to the kernel is not going to help you with this particular task in any possible way

Anton Bassov

The server can get the token of the client. That’s about as good as it gets.

1 Like