How to Detect the irp from network or local?

In my filter driver, I dont want my protected files to be access from
network(lan or wan).
I’ll suggest the client not to share them.But some viruses,you know,can
share them quietly.
So I want to disable it in kernel mode.
I’ve try some ways.such as get the token from current process,and then query
its token type
(SeQueryInformationToken).curiously,i got undeterminate result.neither
Primary token nor
Impersonation token. and then , i try to query its token source , it doesn’t
work. It took
me 2 days. who can pull me through?

Regards,
Ming

Try this piece of code:

HANDLE TokenHandle = NULL;
NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
if (NT_SUCCESS(Status))
{
ULONG ResultLength;
TOKEN_TYPE TType;
Status = ZwQueryInformationToken(TokenHandle, TokenType, &TType,
sizeof(TOKEN_TYPE), &ResultLength);
if (NT_SUCCESS(Status))
{
if (TType == TokenImpersonation)
{
bServerCall = TRUE;
}
}
ZwClose(TokenHandle);
}

Notice, however, that you must check for impersonation token in
IRP_MJ_CREATE dispatch routine only. And using current thread probably is
not the best idea.

-htfv

“Ming” wrote in message news:xxxxx@ntfsd…
>
> In my filter driver, I dont want my protected files to be access from
> network(lan or wan).
> I’ll suggest the client not to share them.But some viruses,you know,can
> share them quietly.
> So I want to disable it in kernel mode.
> I’ve try some ways.such as get the token from current process,and then
query
> its token type
> (SeQueryInformationToken).curiously,i got undeterminate result.neither
> Primary token nor
> Impersonation token. and then , i try to query its token source , it
doesn’t
> work. It took
> me 2 days. who can pull me through?
>
> Regards,
> Ming
>
>
>
>

thank u.
I’ve tried to check current process/thread token, just as u wrote,
It doesn’t help. and I have tried to get the security descriptor also,
but I am confused about it.
“Alexey Logachyov” дÈëÓʼþ news:xxxxx@ntfsd…
>
> Try this piece of code:
>
> HANDLE TokenHandle = NULL;
> NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> if (NT_SUCCESS(Status))
> {
> ULONG ResultLength;
> TOKEN_TYPE TType;
> Status = ZwQueryInformationToken(TokenHandle, TokenType,
&TType,
> sizeof(TOKEN_TYPE), &ResultLength);
> if (NT_SUCCESS(Status))
> {
> if (TType == TokenImpersonation)
> {
> bServerCall = TRUE;
> }
> }
> ZwClose(TokenHandle);
> }
>
> Notice, however, that you must check for impersonation token in
> IRP_MJ_CREATE dispatch routine only. And using current thread probably is
> not the best idea.
>
> -htfv
>
>
> “Ming” wrote in message news:xxxxx@ntfsd…
> >
> > In my filter driver, I dont want my protected files to be access from
> > network(lan or wan).
> > I’ll suggest the client not to share them.But some viruses,you know,can
> > share them quietly.
> > So I want to disable it in kernel mode.
> > I’ve try some ways.such as get the token from current process,and then
> query
> > its token type
> > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > Primary token nor
> > Impersonation token. and then , i try to query its token source , it
> doesn’t
> > work. It took
> > me 2 days. who can pull me through?
> >
> > Regards,
> > Ming
> >
> >
> >
> >
>
>
>
>

I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alexey Logachyov”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, December 23, 2003 1:47 AM
Subject: [ntfsd] Re: How to Detect the irp from network or local?

> Try this piece of code:
>
> HANDLE TokenHandle = NULL;
> NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> if (NT_SUCCESS(Status))
> {
> ULONG ResultLength;
> TOKEN_TYPE TType;
> Status = ZwQueryInformationToken(TokenHandle, TokenType, &TType,
> sizeof(TOKEN_TYPE), &ResultLength);
> if (NT_SUCCESS(Status))
> {
> if (TType == TokenImpersonation)
> {
> bServerCall = TRUE;
> }
> }
> ZwClose(TokenHandle);
> }
>
> Notice, however, that you must check for impersonation token in
> IRP_MJ_CREATE dispatch routine only. And using current thread probably is
> not the best idea.
>
> -htfv
>
>
> “Ming” wrote in message news:xxxxx@ntfsd…
> >
> > In my filter driver, I dont want my protected files to be access from
> > network(lan or wan).
> > I’ll suggest the client not to share them.But some viruses,you know,can
> > share them quietly.
> > So I want to disable it in kernel mode.
> > I’ve try some ways.such as get the token from current process,and then
> query
> > its token type
> > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > Primary token nor
> > Impersonation token. and then , i try to query its token source , it
> doesn’t
> > work. It took
> > me 2 days. who can pull me through?
> >
> > Regards,
> > Ming
> >
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Thank u two.
I’ve suceeded in denying access over network,but need more tests.

I am so confused at (HANDLE)(-2). What on earth is it?
replacing it with GetCurrentThread() would look nicer. And
what’s the difference between them?
Does it mean that the “System” thread handle equals to (HANDLE)(-2) ?

“Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
>
> I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Alexey Logachyov”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, December 23, 2003 1:47 AM
> Subject: [ntfsd] Re: How to Detect the irp from network or local?
>
>
> > Try this piece of code:
> >
> > HANDLE TokenHandle = NULL;
> > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > if (NT_SUCCESS(Status))
> > {
> > ULONG ResultLength;
> > TOKEN_TYPE TType;
> > Status = ZwQueryInformationToken(TokenHandle, TokenType,
&TType,
> > sizeof(TOKEN_TYPE), &ResultLength);
> > if (NT_SUCCESS(Status))
> > {
> > if (TType == TokenImpersonation)
> > {
> > bServerCall = TRUE;
> > }
> > }
> > ZwClose(TokenHandle);
> > }
> >
> > Notice, however, that you must check for impersonation token in
> > IRP_MJ_CREATE dispatch routine only. And using current thread probably
is
> > not the best idea.
> >
> > -htfv
> >
> >
> > “Ming” wrote in message news:xxxxx@ntfsd…
> > >
> > > In my filter driver, I dont want my protected files to be access from
> > > network(lan or wan).
> > > I’ll suggest the client not to share them.But some viruses,you
know,can
> > > share them quietly.
> > > So I want to disable it in kernel mode.
> > > I’ve try some ways.such as get the token from current process,and then
> > query
> > > its token type
> > > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > > Primary token nor
> > > Impersonation token. and then , i try to query its token source , it
> > doesn’t
> > > work. It took
> > > me 2 days. who can pull me through?
> > >
> > > Regards,
> > > Ming
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

(HANDLE)(-2) means current thread handle. (HANDLE)(-1) means current process
handle.

I don’t remember why I put (HANDLE)(-2) but I definitely had some reason. I
never use casting, especially such one like this, until it is absolutely
needed.

To be more precise one must use NtCurrentThread or ZwCurrentThread macro as
it is defined in ntifs.h.

As to why it does not work for you, Ming, I don’t know. This worked for me.
Perhaps, you could post a piece of your code or to explain in details what
you are doing and in what place.

-htfv

“Ming” wrote in message news:xxxxx@ntfsd…
>
> Thank u two.
> I’ve suceeded in denying access over network,but need more tests.
>
> I am so confused at (HANDLE)(-2). What on earth is it?
> replacing it with GetCurrentThread() would look nicer. And
> what’s the difference between them?
> Does it mean that the “System” thread handle equals to (HANDLE)(-2) ?
>
> “Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
> >
> > I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Alexey Logachyov”
> > Newsgroups: ntfsd
> > To: “Windows File Systems Devs Interest List”
> > Sent: Tuesday, December 23, 2003 1:47 AM
> > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> >
> >
> > > Try this piece of code:
> > >
> > > HANDLE TokenHandle = NULL;
> > > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > > if (NT_SUCCESS(Status))
> > > {
> > > ULONG ResultLength;
> > > TOKEN_TYPE TType;
> > > Status = ZwQueryInformationToken(TokenHandle, TokenType,
> &TType,
> > > sizeof(TOKEN_TYPE), &ResultLength);
> > > if (NT_SUCCESS(Status))
> > > {
> > > if (TType == TokenImpersonation)
> > > {
> > > bServerCall = TRUE;
> > > }
> > > }
> > > ZwClose(TokenHandle);
> > > }
> > >
> > > Notice, however, that you must check for impersonation token in
> > > IRP_MJ_CREATE dispatch routine only. And using current thread probably
> is
> > > not the best idea.
> > >
> > > -htfv
> > >
> > >
> > > “Ming” wrote in message news:xxxxx@ntfsd…
> > > >
> > > > In my filter driver, I dont want my protected files to be access
from
> > > > network(lan or wan).
> > > > I’ll suggest the client not to share them.But some viruses,you
> know,can
> > > > share them quietly.
> > > > So I want to disable it in kernel mode.
> > > > I’ve try some ways.such as get the token from current process,and
then
> > > query
> > > > its token type
> > > > (SeQueryInformationToken).curiously,i got undeterminate
result.neither
> > > > Primary token nor
> > > > Impersonation token. and then , i try to query its token source , it
> > > doesn’t
> > > > work. It took
> > > > me 2 days. who can pull me through?
> > > >
> > > > Regards,
> > > > Ming
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> > >
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
>

No, GetCurrentThread is hard-coded to return 2, and all handle-related API
accept 2 as handle with the meaning of “current thread”.

1 is “current process” - the similar way.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Ming”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, December 23, 2003 12:52 PM
Subject: [ntfsd] Re: How to Detect the irp from network or local?

> Thank u two.
> I’ve suceeded in denying access over network,but need more tests.
>
> I am so confused at (HANDLE)(-2). What on earth is it?
> replacing it with GetCurrentThread() would look nicer. And
> what’s the difference between them?
> Does it mean that the “System” thread handle equals to (HANDLE)(-2) ?
>
> “Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
> >
> > I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Alexey Logachyov”
> > Newsgroups: ntfsd
> > To: “Windows File Systems Devs Interest List”
> > Sent: Tuesday, December 23, 2003 1:47 AM
> > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> >
> >
> > > Try this piece of code:
> > >
> > > HANDLE TokenHandle = NULL;
> > > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > > if (NT_SUCCESS(Status))
> > > {
> > > ULONG ResultLength;
> > > TOKEN_TYPE TType;
> > > Status = ZwQueryInformationToken(TokenHandle, TokenType,
> &TType,
> > > sizeof(TOKEN_TYPE), &ResultLength);
> > > if (NT_SUCCESS(Status))
> > > {
> > > if (TType == TokenImpersonation)
> > > {
> > > bServerCall = TRUE;
> > > }
> > > }
> > > ZwClose(TokenHandle);
> > > }
> > >
> > > Notice, however, that you must check for impersonation token in
> > > IRP_MJ_CREATE dispatch routine only. And using current thread probably
> is
> > > not the best idea.
> > >
> > > -htfv
> > >
> > >
> > > “Ming” wrote in message news:xxxxx@ntfsd…
> > > >
> > > > In my filter driver, I dont want my protected files to be access from
> > > > network(lan or wan).
> > > > I’ll suggest the client not to share them.But some viruses,you
> know,can
> > > > share them quietly.
> > > > So I want to disable it in kernel mode.
> > > > I’ve try some ways.such as get the token from current process,and then
> > > query
> > > > its token type
> > > > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > > > Primary token nor
> > > > Impersonation token. and then , i try to query its token source , it
> > > doesn’t
> > > > work. It took
> > > > me 2 days. who can pull me through?
> > > >
> > > > Regards,
> > > > Ming
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> > >
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

then why just negative? means 0xFFFFFFFE ?

–
No one knows what tomorrow would be,
but I’ll do my best.
“Maxim S. Shatskih” ???:xxxxx@ntfsd…
>
> No, GetCurrentThread is hard-coded to return 2, and all handle-related
API
> accept 2 as handle with the meaning of “current thread”.
>
> 1 is “current process” - the similar way.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Ming”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, December 23, 2003 12:52 PM
> Subject: [ntfsd] Re: How to Detect the irp from network or local?
>
>
> > Thank u two.
> > I’ve suceeded in denying access over network,but need more tests.
> >
> > I am so confused at (HANDLE)(-2). What on earth is it?
> > replacing it with GetCurrentThread() would look nicer. And
> > what’s the difference between them?
> > Does it mean that the “System” thread handle equals to (HANDLE)(-2) ?
> >
> > “Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
> > >
> > > I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
> > >
> > > Maxim Shatskih, Windows DDK MVP
> > > StorageCraft Corporation
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > ----- Original Message -----
> > > From: “Alexey Logachyov”
> > > Newsgroups: ntfsd
> > > To: “Windows File Systems Devs Interest List”
> > > Sent: Tuesday, December 23, 2003 1:47 AM
> > > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> > >
> > >
> > > > Try this piece of code:
> > > >
> > > > HANDLE TokenHandle = NULL;
> > > > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > > > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > > > if (NT_SUCCESS(Status))
> > > > {
> > > > ULONG ResultLength;
> > > > TOKEN_TYPE TType;
> > > > Status = ZwQueryInformationToken(TokenHandle, TokenType,
> > &TType,
> > > > sizeof(TOKEN_TYPE), &ResultLength);
> > > > if (NT_SUCCESS(Status))
> > > > {
> > > > if (TType == TokenImpersonation)
> > > > {
> > > > bServerCall = TRUE;
> > > > }
> > > > }
> > > > ZwClose(TokenHandle);
> > > > }
> > > >
> > > > Notice, however, that you must check for impersonation token in
> > > > IRP_MJ_CREATE dispatch routine only. And using current thread
probably
> > is
> > > > not the best idea.
> > > >
> > > > -htfv
> > > >
> > > >
> > > > “Ming” wrote in message news:xxxxx@ntfsd…
> > > > >
> > > > > In my filter driver, I dont want my protected files to be access
from
> > > > > network(lan or wan).
> > > > > I’ll suggest the client not to share them.But some viruses,you
> > know,can
> > > > > share them quietly.
> > > > > So I want to disable it in kernel mode.
> > > > > I’ve try some ways.such as get the token from current process,and
then
> > > > query
> > > > > its token type
> > > > > (SeQueryInformationToken).curiously,i got undeterminate
result.neither
> > > > > Primary token nor
> > > > > Impersonation token. and then , i try to query its token source ,
it
> > > > doesn’t
> > > > > work. It took
> > > > > me 2 days. who can pull me through?
> > > > >
> > > > > Regards,
> > > > > Ming
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Questions? First check the IFS FAQ at
> > > https://www.osronline.com/article.cfm?id=17
> > > >
> > > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

This is by design And besides it is 0xFFFFFFFFFFFFFFFE on 64-bit systems.

-htfv

“Ming” wrote in message news:xxxxx@ntfsd…
>
> then why just negative? means 0xFFFFFFFE ?
>
> –
> No one knows what tomorrow would be,
> but I’ll do my best.
> “Maxim S. Shatskih” ???:xxxxx@ntfsd…
> >
> > No, GetCurrentThread is hard-coded to return 2, and all
handle-related
> API
> > accept 2 as handle with the meaning of “current thread”.
> >
> > 1 is “current process” - the similar way.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Ming”
> > Newsgroups: ntfsd
> > To: “Windows File Systems Devs Interest List”
> > Sent: Tuesday, December 23, 2003 12:52 PM
> > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> >
> >
> > > Thank u two.
> > > I’ve suceeded in denying access over network,but need more tests.
> > >
> > > I am so confused at (HANDLE)(-2). What on earth is it?
> > > replacing it with GetCurrentThread() would look nicer. And
> > > what’s the difference between them?
> > > Does it mean that the “System” thread handle equals to (HANDLE)(-2) ?
> > >
> > > “Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
> > > >
> > > > I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
> > > >
> > > > Maxim Shatskih, Windows DDK MVP
> > > > StorageCraft Corporation
> > > > xxxxx@storagecraft.com
> > > > http://www.storagecraft.com
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: “Alexey Logachyov”
> > > > Newsgroups: ntfsd
> > > > To: “Windows File Systems Devs Interest List”
> > > > Sent: Tuesday, December 23, 2003 1:47 AM
> > > > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> > > >
> > > >
> > > > > Try this piece of code:
> > > > >
> > > > > HANDLE TokenHandle = NULL;
> > > > > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > > > > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > > > > if (NT_SUCCESS(Status))
> > > > > {
> > > > > ULONG ResultLength;
> > > > > TOKEN_TYPE TType;
> > > > > Status = ZwQueryInformationToken(TokenHandle,
TokenType,
> > > &TType,
> > > > > sizeof(TOKEN_TYPE), &ResultLength);
> > > > > if (NT_SUCCESS(Status))
> > > > > {
> > > > > if (TType == TokenImpersonation)
> > > > > {
> > > > > bServerCall = TRUE;
> > > > > }
> > > > > }
> > > > > ZwClose(TokenHandle);
> > > > > }
> > > > >
> > > > > Notice, however, that you must check for impersonation token in
> > > > > IRP_MJ_CREATE dispatch routine only. And using current thread
> probably
> > > is
> > > > > not the best idea.
> > > > >
> > > > > -htfv
> > > > >
> > > > >
> > > > > “Ming” wrote in message news:xxxxx@ntfsd…
> > > > > >
> > > > > > In my filter driver, I dont want my protected files to be access
> from
> > > > > > network(lan or wan).
> > > > > > I’ll suggest the client not to share them.But some viruses,you
> > > know,can
> > > > > > share them quietly.
> > > > > > So I want to disable it in kernel mode.
> > > > > > I’ve try some ways.such as get the token from current
process,and
> then
> > > > > query
> > > > > > its token type
> > > > > > (SeQueryInformationToken).curiously,i got undeterminate
> result.neither
> > > > > > Primary token nor
> > > > > > Impersonation token. and then , i try to query its token source
,
> it
> > > > > doesn’t
> > > > > > work. It took
> > > > > > me 2 days. who can pull me through?
> > > > > >
> > > > > > Regards,
> > > > > > Ming
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > Questions? First check the IFS FAQ at
> > > > https://www.osronline.com/article.cfm?id=17
> > > > >
> > > > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> > >
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
>

AFAIK,GetCurrentThread is an Ring3 API. I’ve tried PsGetCurrentThread
instead,but fails.
PETHREAD pCurrentThread=PsGetCurrentThread();
Status = ZwOpenThreadToken(pCurrentThread,STANDARD_RIGHTS_READ, FALSE,
&hToken);
Status is always NOT STATUS_SUCCESS.

“Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
>
> I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Alexey Logachyov”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, December 23, 2003 1:47 AM
> Subject: [ntfsd] Re: How to Detect the irp from network or local?
>
>
> > Try this piece of code:
> >
> > HANDLE TokenHandle = NULL;
> > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > if (NT_SUCCESS(Status))
> > {
> > ULONG ResultLength;
> > TOKEN_TYPE TType;
> > Status = ZwQueryInformationToken(TokenHandle, TokenType,
&TType,
> > sizeof(TOKEN_TYPE), &ResultLength);
> > if (NT_SUCCESS(Status))
> > {
> > if (TType == TokenImpersonation)
> > {
> > bServerCall = TRUE;
> > }
> > }
> > ZwClose(TokenHandle);
> > }
> >
> > Notice, however, that you must check for impersonation token in
> > IRP_MJ_CREATE dispatch routine only. And using current thread probably
is
> > not the best idea.
> >
> > -htfv
> >
> >
> > “Ming” wrote in message news:xxxxx@ntfsd…
> > >
> > > In my filter driver, I dont want my protected files to be access from
> > > network(lan or wan).
> > > I’ll suggest the client not to share them.But some viruses,you
know,can
> > > share them quietly.
> > > So I want to disable it in kernel mode.
> > > I’ve try some ways.such as get the token from current process,and then
> > query
> > > its token type
> > > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > > Primary token nor
> > > Impersonation token. and then , i try to query its token source , it
> > doesn’t
> > > work. It took
> > > me 2 days. who can pull me through?
> > >
> > > Regards,
> > > Ming
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Hello,

PsGetCurrentThread returns PETHREAD and ZwOpenThreadToken requires handle to
the thread. PETHREAD is not equivalent to a handle to the thread. I think
that is the reason why (HANDLE)-2 is used. The other way of getting an
handle to the current thread is to use ZwOpenThread. It requires some thing
called as client id, which is a structure containing the process id and the
thread id which you want to open. In this structure specify the current
thread id which can be obtained by using PsGetCurrentThreadId call. This
will give u the handle to the current thread.

thanks
-Kiran

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ming
Sent: Wednesday, December 24, 2003 12:06 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Re: How to Detect the irp from network or local?

AFAIK,GetCurrentThread is an Ring3 API. I’ve tried PsGetCurrentThread
instead,but fails.
PETHREAD pCurrentThread=PsGetCurrentThread();
Status = ZwOpenThreadToken(pCurrentThread,STANDARD_RIGHTS_READ, FALSE,
&hToken);
Status is always NOT STATUS_SUCCESS.

“Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
>
> I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Alexey Logachyov”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, December 23, 2003 1:47 AM
> Subject: [ntfsd] Re: How to Detect the irp from network or local?
>
>
> > Try this piece of code:
> >
> > HANDLE TokenHandle = NULL;
> > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > if (NT_SUCCESS(Status))
> > {
> > ULONG ResultLength;
> > TOKEN_TYPE TType;
> > Status = ZwQueryInformationToken(TokenHandle, TokenType,
&TType,
> > sizeof(TOKEN_TYPE), &ResultLength);
> > if (NT_SUCCESS(Status))
> > {
> > if (TType == TokenImpersonation)
> > {
> > bServerCall = TRUE;
> > }
> > }
> > ZwClose(TokenHandle);
> > }
> >
> > Notice, however, that you must check for impersonation token in
> > IRP_MJ_CREATE dispatch routine only. And using current thread probably
is
> > not the best idea.
> >
> > -htfv
> >
> >
> > “Ming” wrote in message news:xxxxx@ntfsd…
> > >
> > > In my filter driver, I dont want my protected files to be access from
> > > network(lan or wan).
> > > I’ll suggest the client not to share them.But some viruses,you
know,can
> > > share them quietly.
> > > So I want to disable it in kernel mode.
> > > I’ve try some ways.such as get the token from current process,and then
> > query
> > > its token type
> > > (SeQueryInformationToken).curiously,i got undeterminate result.neither
> > > Primary token nor
> > > Impersonation token. and then , i try to query its token source , it
> > doesn’t
> > > work. It took
> > > me 2 days. who can pull me through?
> > >
> > > Regards,
> > > Ming
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@calsoftinc.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Look for my previous posts in this thread. You must use NtCurrentThread or
ZwCurrentThread macro defined in ntifs.h.

-htfv

“Ming” wrote in message news:xxxxx@ntfsd…
>
> AFAIK,GetCurrentThread is an Ring3 API. I’ve tried PsGetCurrentThread
> instead,but fails.
> PETHREAD pCurrentThread=PsGetCurrentThread();
> Status = ZwOpenThreadToken(pCurrentThread,STANDARD_RIGHTS_READ, FALSE,
> &hToken);
> Status is always NOT STATUS_SUCCESS.
>
> “Maxim S. Shatskih” ??? news:xxxxx@ntfsd…
> >
> > I would replace (HANDLE)(-2) with GetCurrentThread() for beauty.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Alexey Logachyov”
> > Newsgroups: ntfsd
> > To: “Windows File Systems Devs Interest List”
> > Sent: Tuesday, December 23, 2003 1:47 AM
> > Subject: [ntfsd] Re: How to Detect the irp from network or local?
> >
> >
> > > Try this piece of code:
> > >
> > > HANDLE TokenHandle = NULL;
> > > NTSTATUS Status = ZwOpenThreadToken((HANDLE)-2,
> > > STANDARD_RIGHTS_READ, FALSE, &TokenHandle);
> > > if (NT_SUCCESS(Status))
> > > {
> > > ULONG ResultLength;
> > > TOKEN_TYPE TType;
> > > Status = ZwQueryInformationToken(TokenHandle, TokenType,
> &TType,
> > > sizeof(TOKEN_TYPE), &ResultLength);
> > > if (NT_SUCCESS(Status))
> > > {
> > > if (TType == TokenImpersonation)
> > > {
> > > bServerCall = TRUE;
> > > }
> > > }
> > > ZwClose(TokenHandle);
> > > }
> > >
> > > Notice, however, that you must check for impersonation token in
> > > IRP_MJ_CREATE dispatch routine only. And using current thread probably
> is
> > > not the best idea.
> > >
> > > -htfv
> > >
> > >
> > > “Ming” wrote in message news:xxxxx@ntfsd…
> > > >
> > > > In my filter driver, I dont want my protected files to be access
from
> > > > network(lan or wan).
> > > > I’ll suggest the client not to share them.But some viruses,you
> know,can
> > > > share them quietly.
> > > > So I want to disable it in kernel mode.
> > > > I’ve try some ways.such as get the token from current process,and
then
> > > query
> > > > its token type
> > > > (SeQueryInformationToken).curiously,i got undeterminate
result.neither
> > > > Primary token nor
> > > > Impersonation token. and then , i try to query its token source , it
> > > doesn’t
> > > > work. It took
> > > > me 2 days. who can pull me through?
> > > >
> > > > Regards,
> > > > Ming
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> > >
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
>