Getting app name from my drv

Hi All,
A little while ago I asked how can one identify an IRP originator. What I was looking for is actually how I can get application name that issued this IRP.
I tried to fish this info from DDK with not much luck, PsGetCurrentProcessID, PS…ThreadID return a structure that is not documented at all.
Can anyone please help me ?
Regards,
Stas,
Powernet.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Why would you want to tie a driver to an application? Why should it care
whether it was an application or another driver that called it? A driver
gets an IRP, pends it, or completes it. With rare exceptions it does nothing
else. Are trying to take logic path Z if called by application BUGS, and
logic path Y if called by application PORKY? Ok so what if application DAFFY
calls driver BUBBA which then calls your driver? In the latter, your driver
is called in an arbitrary thread context that is not associated with any
thread, which is why it is “arbitrary”.

Perhaps it would be better, provide IOCTL calls for logic path Z and Y. That
way the driver doesn’t care who called it, it just gets an IRP, and
completes it or pends it.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of STAS
Sent: Sunday, April 15, 2001 3:11 AM
To: NT Developers Interest List
Subject: [ntdev] Getting app name from my drv

Hi All,
A little while ago I asked how can one identify an IRP originator. What I
was looking for is actually how I can get application name that issued this
IRP.
I tried to fish this info from DDK with not much luck,
PsGetCurrentProcessID, PS…ThreadID return a structure that is not
documented at all.
Can anyone please help me ?
Regards,
Stas,
Powernet.

You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Stas,
I guess that IoGetCurrentProcess will return the process ID that you can use
somehow in Win32 API to retrieve the app name of the application that
created this prossess. The problem is that IoGetCurrentProcess you can call
only in “upper”/“highest-level” drivers that run in the context of that
application process. If you will try to call it from a “lower” driver it
will most probably return 0 for the “0” system process.

Roman.
-----Original Message-----
From: Gary G. Little [mailto:xxxxx@inland.net]
Sent: Sunday, April 15, 2001 5:52 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Getting app name from my drv

Why would you want to tie a driver to an application? Why should it care
whether it was an application or another driver that called it? A driver
gets an IRP, pends it, or completes it. With rare exceptions it does nothing
else. Are trying to take logic path Z if called by application BUGS, and
logic path Y if called by application PORKY? Ok so what if application DAFFY
calls driver BUBBA which then calls your driver? In the latter, your driver
is called in an arbitrary thread context that is not associated with any
thread, which is why it is “arbitrary”.

Perhaps it would be better, provide IOCTL calls for logic path Z and Y. That
way the driver doesn’t care who called it, it just gets an IRP, and
completes it or pends it.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of STAS
Sent: Sunday, April 15, 2001 3:11 AM
To: NT Developers Interest List
Subject: [ntdev] Getting app name from my drv

Hi All,
A little while ago I asked how can one identify an IRP originator. What I
was looking for is actually how I can get application name that issued this
IRP.
I tried to fish this info from DDK with not much luck,
PsGetCurrentProcessID, PS…ThreadID return a structure that is not
documented at all.
Can anyone please help me ?
Regards,
Stas,
Powernet.

You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@envara.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Download FileMon sample from www.sysinternals.com and check it. U will get function there to retrive Application name.

Regards,
Satish K.S
----- Original Message -----
From: STAS
To: NT Developers Interest List
Sent: Sunday, April 15, 2001 3:40 PM
Subject: [ntdev] Getting app name from my drv

Hi All,
A little while ago I asked how can one identify an IRP originator. What I was looking for is actually how I can get application name that issued this IRP.
I tried to fish this info from DDK with not much luck, PsGetCurrentProcessID, PS…ThreadID return a structure that is not documented at all.
Can anyone please help me ?
Regards,
Stas,
Powernet.

You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

If your driver is top level, provide an IOCTL to pass to the driver the
name of each application that will use your driver.

Store that name and the current process ID in an array of structures.
Thereafter every time you
want to know, use the then current process ID to search for the application
name.

George

At 12:10 PM 4/15/01 +0200, you wrote:

Hi All,
A little while ago I asked how can one identify an IRP originator. What I
was looking for is actually how I can get application name that issued
this IRP.
I tried to fish this info from DDK with not much luck,
PsGetCurrentProcessID, PS…ThreadID return a structure that is not
documented at all.
Can anyone please help me ?
Regards,
Stas,
Powernet.

---

You are currently subscribed to ntdev as: xxxxx@ntrealtime.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi George,
The problem is that I don’t have sources for the applications that going to
call my driver.
Regards,
Stas.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Then you can never be sure as to who or what is passing you the IRP. If you
relay on an application named ABC.EXE, someone can take XYZ.EXE and rename
it to ABC.EXE. The driver is happy with ABC but nothing works because it’s
the wrong frigg’n application. Which is to bad since the driver should be
written to only care about HOW, it is called and NOT if a specific
application calls it.

You’ve never really answered the question: Why should your driver care about
the application name?

Gary

-----Original Message-----
From: stas [mailto:xxxxx@powernetsys.com]
Sent: Tuesday, April 17, 2001 12:46 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Hi George,
The problem is that I don’t have sources for the
applications that going to
call my driver.
Regards,
Stas.

You are currently subscribed to ntdev as:
xxxxx@delphieng.com
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Stas,
Doesn’t the FileMon sample from www.sysinternals.com
http:</http:> answers your problem?

RG

-----Original Message-----
From: Gary Little [mailto:xxxxx@Broadstor.com]
Sent: Tuesday, April 17, 2001 5:09 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Then you can never be sure as to who or what is passing you the IRP. If you
relay on an application named ABC.EXE, someone can take XYZ.EXE and rename
it to ABC.EXE. The driver is happy with ABC but nothing works because it’s
the wrong frigg’n application. Which is to bad since the driver should be
written to only care about HOW, it is called and NOT if a specific
application calls it.

You’ve never really answered the question: Why should your driver care about
the application name?

Gary

BM__MailData-----Original Message-----
From: stas [mailto:xxxxx@powernetsys.com mailto:xxxxx]
Sent: Tuesday, April 17, 2001 12:46 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Hi George,
The problem is that I don’t have sources for the applications that going to
call my driver.
Regards,
Stas.

—
You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@envara.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx>

Although you don’t have access to the actual application that will call your
driver, is there an interface (how do they call your driver?) via
a statically linked library, or a DLL where the work could be done?
Rob Linegar
Software Engineer
Data Encryption Systems Limited

-----Original Message-----
From: Roman Geller [mailto:xxxxx@envara.com]
Sent: 17 April 2001 18:12
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Stas,
Doesn’t the FileMon sample from www.sysinternals.com
http:</http:> answers your problem?

RG

-----Original Message-----
From: Gary Little [mailto:xxxxx@Broadstor.com]
Sent: Tuesday, April 17, 2001 5:09 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Then you can never be sure as to who or what is passing you the IRP. If you
relay on an application named ABC.EXE, someone can take XYZ.EXE and rename
it to ABC.EXE. The driver is happy with ABC but nothing works because it’s
the wrong frigg’n application. Which is to bad since the driver should be
written to only care about HOW, it is called and NOT if a specific
application calls it.

You’ve never really answered the question: Why should your driver care about
the application name?

Gary

BM__MailData-----Original Message-----
From: stas [mailto:xxxxx@powernetsys.com mailto:xxxxx]
Sent: Tuesday, April 17, 2001 12:46 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

Hi George,
The problem is that I don’t have sources for the applications that going to
call my driver.
Regards,
Stas.

—
You are currently subscribed to ntdev as: xxxxx@delphieng.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@envara.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@des.co.uk
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx>

----- Original Message -----
From: Gary Little
To: NT Developers Interest List
Sent: Tuesday, April 17, 2001 11:09 AM
Subject: [ntdev] Re: Getting app name from my drv

> Then you can never be sure as to who or what is passing you the IRP. If
you
> relay on an application named ABC.EXE, someone can take XYZ.EXE and
rename
> it to ABC.EXE. The driver is happy with ABC but nothing works because it’s
> the wrong frigg’n application. Which is to bad since the driver should be
> written to only care about HOW, it is called and NOT if a specific
> application calls it.
>
> You’ve never really answered the question: Why should your driver care
about
> the application name?
>
>
> Gary
>

I am not sure about the caller’s specific need for calling process
information.

However, there are some network filters drivers (e.g., TDI Filters) that
attempt to restrict access to IP addresses/ports on a per-application basis.
That is: some applications are allowed to use certain ports, others are not.

To attempt to manage this sort of filter requires that the driver attempt to
ferret the process/application name - usually in a create call of some sort.

The SysInternals FileMon sample does illustrate one way to attempt to make
this correlation.

Certainly, it is debatable as to whether 1.) this is reliable for normal
apps, 2.) whether this is easily spoofed by bad guys and 3.) whether this is
worthwhile at all.

Regards,

Thomas F. Divine

PCAUSA - Toolkits & Resources For Network Software Developers
NDIS Protocol - NDIS Intermediate - TDI Client
http: - http:

> -----Original Message-----
> From: stas [mailto:xxxxx@powernetsys.com]
> Sent: Tuesday, April 17, 2001 12:46 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Getting app name from my drv
>
> Hi George,
> The problem is that I don’t have sources for the
> applications that going to
> call my driver.
> Regards,
> Stas.

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</http:></http:>

a good way to implement this is to have a usermode service that proxies
requests from all usermode apps to the driver. it can then handle
authentication and other issues.

-----Original Message-----
From: Thomas F. Divine [mailto:xxxxx@pcausa.com]
Sent: Tuesday, April 17, 2001 9:33 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

----- Original Message -----
From: Gary Little
To: NT Developers Interest List
Sent: Tuesday, April 17, 2001 11:09 AM
Subject: [ntdev] Re: Getting app name from my drv

> Then you can never be sure as to who or what is passing you the IRP. If
you
> relay on an application named ABC.EXE, someone can take XYZ.EXE and
rename
> it to ABC.EXE. The driver is happy with ABC but nothing works because it’s
> the wrong frigg’n application. Which is to bad since the driver should be
> written to only care about HOW, it is called and NOT if a specific
> application calls it.
>
> You’ve never really answered the question: Why should your driver care
about
> the application name?
>
>
> Gary
>

I am not sure about the caller’s specific need for calling process
information.

However, there are some network filters drivers (e.g., TDI Filters) that
attempt to restrict access to IP addresses/ports on a per-application basis.
That is: some applications are allowed to use certain ports, others are not.

To attempt to manage this sort of filter requires that the driver attempt to
ferret the process/application name - usually in a create call of some sort.

The SysInternals FileMon sample does illustrate one way to attempt to make
this correlation.

Certainly, it is debatable as to whether 1.) this is reliable for normal
apps, 2.) whether this is easily spoofed by bad guys and 3.) whether this is
worthwhile at all.

Regards,

Thomas F. Divine

PCAUSA - Toolkits & Resources For Network Software Developers
NDIS Protocol - NDIS Intermediate - TDI Client
http: - http:

> -----Original Message-----
> From: stas [mailto:xxxxx@powernetsys.com]
> Sent: Tuesday, April 17, 2001 12:46 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Getting app name from my drv
>
> Hi George,
> The problem is that I don’t have sources for the
> applications that going to
> call my driver.
> Regards,
> Stas.

—
You are currently subscribed to ntdev as: xxxxx@veritas.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</http:></http:>

Thomas,

Methinks #3 is most applicable.

Gary

-----Original Message-----
From: Thomas F. Divine [mailto:xxxxx@pcausa.com]
Sent: Tuesday, April 17, 2001 9:33 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Getting app name from my drv

----- Original Message -----
From: Gary Little
To: NT Developers Interest List
Sent: Tuesday, April 17, 2001 11:09 AM
Subject: [ntdev] Re: Getting app name from my drv

> Then you can never be sure as to who or what is passing
you the IRP. If
you
> relay on an application named ABC.EXE, someone can take
XYZ.EXE and
rename
> it to ABC.EXE. The driver is happy with ABC but nothing
works because it’s
> the wrong frigg’n application. Which is to bad since the
driver should be
> written to only care about HOW, it is called and NOT if a
specific
> application calls it.
>
> You’ve never really answered the question: Why should your
driver care
about
> the application name?
>
>
> Gary
>

I am not sure about the caller’s specific need for calling
process
information.

However, there are some network filters drivers (e.g., TDI
Filters) that
attempt to restrict access to IP addresses/ports on a
per-application basis.
That is: some applications are allowed to use certain ports,
others are not.

To attempt to manage this sort of filter requires that the
driver attempt to
ferret the process/application name - usually in a create
call of some sort.

The SysInternals FileMon sample does illustrate one way to
attempt to make
this correlation.

Certainly, it is debatable as to whether 1.) this is
reliable for normal
apps, 2.) whether this is easily spoofed by bad guys and 3.)
whether this is
worthwhile at all.

Regards,

Thomas F. Divine

PCAUSA - Toolkits & Resources For Network Software
Developers
NDIS Protocol - NDIS Intermediate - TDI Client
http: - http:

> -----Original Message-----
> From: stas [mailto:xxxxx@powernetsys.com]
> Sent: Tuesday, April 17, 2001 12:46 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Getting app name from my drv
>
> Hi George,
> The problem is that I don’t have sources for the
> applications that going to
> call my driver.
> Regards,
> Stas.

—
You are currently subscribed to ntdev as:
xxxxx@delphieng.com
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</http:></http:>

Hi Rob,

No, One of my drivers is a substitution of serial.sys. It exposes the same
interface but actually sends IRPs to the TCP stack instead of the serial
controller.
So, I don’t have a clue about what will call my driver. I just need to
figure from the received IRP what process has initiated it.
The filemon example has a workaround (not 100% though) for the topmost
drivers.
Any ideas ?

Regards,
Stas

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Is there any samples on the issue ?

a good way to implement this is to have a usermode service that proxies
requests from all usermode apps to the driver. it can then handle
authentication and other issues.
Regards,
Stas

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com