Is the File_Execute flag mandatory for all executable images? Is it possible for
an executable to be loaded and run without this flag ever specified in create?
Regarding false positives of execution (with this flag set), can I safely remove it
in post create (mini filter) to deny execution of an image?
m.
Look at FastFat create.c
MM wrote:
Is the File_Execute flag mandatory for all executable images? Is it possible for
an executable to be loaded and run without this flag ever specified in create?Regarding false positives of execution (with this flag set), can I safely remove it
in post create (mini filter) to deny execution of an image?m.
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Thanks Dejan,
I have looked at create.c, and have skimmed threw it again. There are no
doc’s I can find on FO_FILE_FAST_IO_READ.
I see this flag is set for File_Execute, but what is set for notepad
files. Txt files and executables are both memory mapped, I
had assumed they both used the same flag while being read into memory.
Given create.c is over 10,000 lines, I admit I only
did a search for “memory” and “mapped” to try and answer my question.
What I’m trying to accomplish is simple; when an executable fails my
heuristics in create, if the FILE_EXECUTE flag is not set, then let it
pass so it can be moved, copied/pasted, ect…As of now, when my filter
sees a file in doesn’t recognize, it instantly returns access denied and
nothing can be done with it in userland.
Just exploring ways to improve a little on my screwy design.
Thanks,
m.
Dejan Maksimovic wrote:
Look at FastFat create.c
MM wrote:
>Is the File_Execute flag mandatory for all executable images? Is it possible for
>an executable to be loaded and run without this flag ever specified in create?
>
>Regarding false positives of execution (with this flag set), can I safely remove it
>in post create (mini filter) to deny execution of an image?
>
>m.
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
It is possible to execute a file not opened with FILE_EXECUTE permissions. While this
may change with Vista, hacking is easier than preventing creation of yet unknown hacks.
MM wrote:
Thanks Dejan,
I have looked at create.c, and have skimmed threw it again. There are no
doc’s I can find on FO_FILE_FAST_IO_READ.I see this flag is set for File_Execute, but what is set for notepad
files. Txt files and executables are both memory mapped, I
had assumed they both used the same flag while being read into memory.
Given create.c is over 10,000 lines, I admit I only
did a search for “memory” and “mapped” to try and answer my question.What I’m trying to accomplish is simple; when an executable fails my
heuristics in create, if the FILE_EXECUTE flag is not set, then let it
pass so it can be moved, copied/pasted, ect…As of now, when my filter
sees a file in doesn’t recognize, it instantly returns access denied and
nothing can be done with it in userland.Just exploring ways to improve a little on my screwy design.
Thanks,
m.
Dejan Maksimovic wrote:
> Look at FastFat create.c
>
>MM wrote:
>
>
>
>>Is the File_Execute flag mandatory for all executable images? Is it possible for
>>an executable to be loaded and run without this flag ever specified in create?
>>
>>Regarding false positives of execution (with this flag set), can I safely remove it
>>in post create (mini filter) to deny execution of an image?
>>
>>m.
>>
>>—
>>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>>
>>You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>–
>King regards, Dejan
>http://www.alfasp.com
>File system audit, security and encryption kits.
>
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.