Handles are always problematic - you have to find the corresponding file
object and map it to the correct internal state, unfortunately, and then
determine how to handle it based upon the provided information. That’s
going to depend upon the IOCTL and how you choose to implement it (first
implementation: just say no…)
Testing the name in EPROCESS is not sufficient. For example, there are
KNOWN hoax services called svchost.exe that ALREADY EXIST today,
precisely for the purpose of spoofing the OS. You need to know the path
to the binary as well as the name. Plus, spoofing such information is
not so hard because once I install your program I know the name of your
service. If I really want to compromise your driver, that’s where I’ll
be focusing my efforts (especially after I find the string embedded in
your driver). Someone trying to actively compromise a system with your
driver will insist on this…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
And now off to teach file systems this week in Boston…
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Monday, April 04, 2005 1:23 AM
To: ntfsd redirect
Subject: Re: [ntfsd] because my encrypted filter,winzip can’t handle
.zip file
Tony, David, Don,
The approach we’ve used is that you present two different views - as
if
they were two different files at least from the OS perspective. We
make
this work by implementing as a layered file system, so we control the
caching of the clear data.
This is exactly the way how we’ve done it. But this is also
one of most problematic thing in filter world.
Could you tell me how you handle custom IOCTLs,
which receive a file handle in the data structure (e.g. defragmentation
API or offline folders ?)
I guess another question is how do you know that an application of
some
name
is the ‘real’ application? Key management is another problem.
I think it is enough to test the application name in
the EPROCESS structure. I know that there is not enough
space for the possible long EXE name, but if you check
for the same name as in Task manager (which - i think -
also shows the name from the EPROCESS), it is sufficient
for distinguishing one app from another.
Yeah, I know about the “real” application problem and have educated
the
customer. They are trying to insist on a password prompt triggered by
the
create, I’ve suggested this is not viable approach.
It IS a viable approach. You only cannot require the encryption key
and password on EVERY create (because you would get crazy
then, there are tens of CREATEs during e.g. when MS Word
opens a document).
L.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com