The documented way to achieve this is to query the path of the
executable image in Win32 (see GetProcessImageFileName). The
undocumented way to do this from kernel mode only (works on at least XP
and W2K3) is to call ZwQueryInformationProcess with
ProcessImageInformation.
I do believe that this Win32 API does not return any stream suffix that
is associated with the executable image. I’m not sure if the native API
returns the full path name (or not). See
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams for
information on this. I actually demonstrated to someone today that an
executable image in the System32 directory can be modified without SFP
doing anything about it (try it - do “notepad
%systemroot%\system32\svchost.exe:MyStream.txt” and tell notepad you do
want to create the file in question. Add text to it. Watch the file -
it doesn’t change. Check in dllcache - SFP has actually copied your
modified version INTO the dllcache. Best part is it copied it WITHOUT
the new stream - I guess the SFP folks decided to eschew using
CopyFileW…)
In Vista there is a new Win32 API - QueryFullProcessImageName. I didn’t
confirm that this returns a complete name (including stream information)
but I’m at least hopeful. Since it is Vista-only, I figure it’ll be
generally useful in the “real world” starting around 2010…
But as to whether or not this is any more correct than whatever
brilliant solution you’ve concocted, I can’t really comment…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006 (note new date - MS scheduled plugfest the
same week again.)
I believe there is a documented way to do this from UM. However, from
OS level, call ZwQueryInformationProcess for ProcessImageInformation.
You’ll get back the full path name
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006 (note new date - MS scheduled plugfest the
same week again.)
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Beaver
Sent: Wednesday, March 08, 2006 8:14 PM
To: ntfsd redirect
Subject: [ntfsd] Checking the name of the executable in a filter…
Until recently, this was a primarily academic concern for me. However,
it’s
become a very real one (since I’m writing a filter driver which is
supposed
to provide services to just a limited set of processes).
Tony said, in a different context:
“I’ll also warn you (like I warn so many people) - checking the NAME of
an
executable isn’t easy to do in Windows. You aren’t trying to look in
the
EPROCESS are you? That name there can be spoofed rather trivially,
which is
a bad thing for a security product.”
So I’ll ask - is there any RELIABLE way to get the name of a process
that
isn’t trivially spoofable? Clearly, using the method of getting the name
from the EPROCESS structure can be spoofed (by simply changing the name
of
the executable). While I’m not writing a security product, I would like
for
the filter to have some hope of being reliable without trivial user
action
defeating it…
Various methods of toughening this have occurred to me, but I’m
interested
in knowing if there’s one superior (or should I say correct) one?
Thanks…dave
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com