Hello,
I have a driver which can filter certain operations (network and file system). I want to enable the filtering only for processes launched by an interactive user (to exclude services, driver and kernel threads, etc). I can extract the user SID from a process handle and I want to check if the SID belongs to a normal user or not. Is there a way to perform this operation in kernel mode?
Thank you.
Hmmmm…
Can you not create an appropriate ACL for your Device Object, and thereby preserve Windows typical semantics regarding access and handles?
Peter
OSR
You can get the process from a filesystem open operation in a filesystem
filter driver, not really relevant for a network operation.
Mark Roddy
On Tue, Feb 26, 2013 at 9:30 AM, wrote:
> Hello,
>
> I have a driver which can filter certain operations (network and file
> system). I want to enable the filtering only for processes launched by an
> interactive user (to exclude services, driver and kernel threads, etc). I
> can extract the user SID from a process handle and I want to check if the
> SID belongs to a normal user or not. Is there a way to perform this
> operation in kernel mode?
>
> Thank you.
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Hello,
@Mr. Viscarola
My driver is a filter driver (think WFP, TDI, file-system or registry mini-filters) and it’s device object is not opened by any process except my own control / settings application.
@Mr. Roddy
From a TDI/WFP driver you can get the process which issued a certain operation.
You might look at S-1-5-4 (INTERACTIVE) as a field in TokenGroups.
But it’s not so simple… Some examples:
you do have a PID in some cases, but PsLookupProcessByProcessId is
documented to not be safe at DISPATCH.
the thread may be impersonating a non-INTERACTIVE user or vice-versa
then what?
Operations in non-interactive security contexts may be performed on
behalf of interactive users, for example Dns lookup requests via the
Dns client service (dnscache).
Scott
On Feb 26, 2013, at 11:26 AM, “xxxxx@yahoo.com”
wrote:
> Hello,
>
> @Mr. Viscarola
> My driver is a filter driver (think WFP, TDI, file-system or registry mini-filters) and it’s device object is not opened by any process except my own control / settings application.
>
> @Mr. Roddy
> From a TDI/WFP driver you can get the process which issued a certain operation.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
This assumes that (a) you have a rigorous definition of what is a “normal”
user and (b) you are absolutely confident your definition is correct under
all possible conditions. It also assumes that (c) the user has not found
out that you are filtering things and comes up with some trivial way to
bypass it. How many Windows machines are there today? Half a billion?
If you are writing a security product, you can be certain that those who
make their livings writing malware, especially those involved in
industrial espionage, will buy a copy the day it goes on the market, and
it would not surprise me if they had a workaround a week later. A month
in worst case. So you are also (d) certain it cannot be trivially
bypassed by an expert?
That’s an awful lot of assumptions…
joe
Hello,
I have a driver which can filter certain operations (network and file
system). I want to enable the filtering only for processes launched by an
interactive user (to exclude services, driver and kernel threads, etc). I
can extract the user SID from a process handle and I want to check if the
SID belongs to a normal user or not. Is there a way to perform this
operation in kernel mode?Thank you.
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
@Mr. Lundgren: Thank you for the hint, I will look into it.
With my current design I do not need to open process handles at dispatch level. I am interested in excluding things at process level, so I do not care about impersonating threads.
@Mr. Newcomer: This filter is not for a security product, it is for debugging / monitoring purposes and I’m trying to cut down on the amount of operations filtered.
> @Mr. Lundgren: Thank you for the hint, I will look into it.
With my current design I do not need to open process handles at dispatch
level. I am interested in excluding things at process level, so I do not
care about impersonating threads.@Mr. Newcomer: This filter is not for a security product, it is for
debugging / monitoring purposes and I’m trying to cut down on the amount
of operations filtered.
If this is for your own internal use and will never be a product, you have
more degrees of freedom in what you do.
Most services run under special IDs, such as LocalSystem, or an account
for the backup administrator, etc. Rarely does a service get logged in
from the account of the logged-in user; I’d say this is so rare that any
additional filtering/reporting either (a) does not impact performance
enough to matter and (b) if it does happen, you probably care.
A debugging or monitoring component like this is typically accompanied by
a user app that displays, logs, or otherwise reacts to what is being
recorded. If this app is run by the user, it can record the sid of its
caller and then filter based on this sid. If the sid is not set, then you
have the option of either not doing any monitoring until the responding
app is started or recording all events to kernel buffers up to some limit,
then recycling the oldest buffer so that when the app is finally run, it
delivers back all the buffered events that match the sid handed down.
Thus, you don’t have to worry about the definition of “normal process”.
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer