Get process from IRP

Good morning folks,

I’m doing a mini-research on security/authentication etc. on
mini-filters. I’ve read a few docs (OSR and MSDN mainly) but I admit I
got a bit confused. So, I’d like your help on clarifying some issues :slight_smile:

* I need to get the process that issued the IRP. Do I have to retrieve
process/thread information in IRP_MJ_CREATE (and store this information
in the FO’s stream handle context) or do I have to do it for each IRP
I intercept?
* I’ve read something about the issuer of the IRP may not be the one I
think it is (e.g. previously pended IRPs being resume in different
process/thread context, the system process doing its magic etc.). Is
there a bullet-proof way of retrieving the original issuer? Does the
“original issuer” make sense at all?
* What happens with impersonation? If a thread impersonates a user, is
it possible to receive IRPs on an FO that was created as a
non-impersonated user? If yes, how can this be noticed?


Thanos Makatos
Software engineer
Barcelona Supercomputing Center

WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.

In IRP_MJ_CREATE you have got the context of the sender.
Theoretically all IRPs can be pended and processed as non threaded IRPs.
Just use IoGetRequestorProcess/Thread.
If you should read the WDK docs you would find how each major function callback routine gets called, what IRQL and possible contexts (thread/process).

The main thing, in my opinion, is that you should really not tackle so hardly with suck edge cases as thread impersonation or IRP_MJ_CREATE pended IRPs since such cases are rare, but rather focus on understating the “standard” way IRPs are proceses by a filter or a FS. After you are comfortable with that, deal with the edge cases, but that’s just me.

PS: For non-threaded IRPs, IoGetRequestorProcess will not help you since these IRP are usually build for async purposes and cannot be associated with a single thread, but rather arbitrary.
This IRP are usually created via IoAllocateIrp or IoBuilAsyncFsdReq and sent down.