I’m currently investigating an issue with a vxd that uses the
IFSMgr_InstallFileSystemApiHook service to hook the file system under 9X/ME.
I am trying to determine whether a file access is being performed via a
local
request or as the result of a remote request (e.g. access of file through a
share).
The only thing I have found thus far is that the process id (pioreq->ir_pid)
for the
IFSFN_OPEN request when the access is remote is for 0x8000FEFF. From what
little I have found
out so far this could also happen when local Ring 0 file access is invoked.
(Using Filemon this access shows as being performed by Kernel32.)
Rob Linegar
Software Engineer
Data Encryption Systems Limited
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
I didn’t see a question:-)
You can determine whether it’s local or remote access via ResType parameter
of the IFS Hook function.
It will be have IFSFH_RES_LOCAL bit set, unless the resource is remote.
You should not rely on process name.
Regards, Dejan.
xxxxx@des.co.uk wrote:
I’m currently investigating an issue with a vxd that uses the
IFSMgr_InstallFileSystemApiHook service to hook the file system under 9X/ME.
I am trying to determine whether a file access is being performed via a
local
request or as the result of a remote request (e.g. access of file through a
share).
The only thing I have found thus far is that the process id (pioreq->ir_pid)
for the
IFSFN_OPEN request when the access is remote is for 0x8000FEFF. From what
little I have found
out so far this could also happen when local Ring 0 file access is invoked.
(Using Filemon this access shows as being performed by Kernel32.)
Rob Linegar
Software Engineer
Data Encryption Systems Limited
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa Registry Monitor - Registry monitoring library for Win32 developers.
Alfa Registry Protector - Registry protection library for Win32 developers.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
As far as I know there is no way to definitely say if a request is made by a
remote user. On NT you may try to use security information but not on 9x. I
could say that our driver filters out requests made system.
Alexey Logachyov
xxxxx@vba.com.by
VirusBlokAda Ltd.
http://www.vba.com.by
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Thursday, January 24, 2002 7:10 PM
Subject: [ntfsd] File system hook issue with remote requests (9X/ME related)
>
> I’m currently investigating an issue with a vxd that uses the
> IFSMgr_InstallFileSystemApiHook service to hook the file system under
9X/ME.
>
> I am trying to determine whether a file access is being performed via a
> local
> request or as the result of a remote request (e.g. access of file through
a
> share).
>
> The only thing I have found thus far is that the process id
(pioreq->ir_pid)
> for the
> IFSFN_OPEN request when the access is remote is for 0x8000FEFF. From what
> little I have found
> out so far this could also happen when local Ring 0 file access is
invoked.
> (Using Filemon this access shows as being performed by Kernel32.)
>
> Rob Linegar
> Software Engineer
> Data Encryption Systems Limited
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>> (Using Filemon this access shows as being performed by Kernel32.)
can You determine the caller using process name? may be it would be
interesting for You to walk through the process data (Filemon only gets the
name, but You can find more - Matt Pietrek described this structures
in one of his books (AFAIK Secrets of Windows95)).
–
Best regards,
??? mailto:xxxxx@perm.raid.ru
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
At 10:40 PM 1/24/02, you wrote:
I’m currently investigating an issue with a vxd that uses the
IFSMgr_InstallFileSystemApiHook service to hook the file system under 9X/ME.
I am trying to determine whether a file access is being performed via a
local
request or as the result of a remote request (e.g. access of file through a
share).
The only thing I have found thus far is that the process id (pioreq->ir_pid)
for the
IFSFN_OPEN request when the access is remote is for 0x8000FEFF. From what
little I have found
out so far this could also happen when local Ring 0 file access is invoked.
(Using Filemon this access shows as being performed by Kernel32.)
You can use the following code to find it out:
bool IsServerCall () { return ((pir->ir_pid & 0x80000000) && (pir->ir_pid
!= -1)); }
For local file system request, ir_pid is made up of DOS PSP and current VM
ID values. If the request came from a remote machine, you will see the left
most bit is on, and for ring0 access, it will be equal to -1.
I found the above only from observation and using it since Win95’s days in
several drivers. So, you can probably rely on it. If anyone else knows any
exception to the above rule, please let me know.
Regards,
Robin
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com