How to distinguish an IRP from SVR.sys?

Hello,

My filter driver needs to distinguish requests from a local user or a remote
user. Is there a simple way to distinguish IRPs originated from lanman
server or some user mode programs?
Any response is appreciated.

Shangwu

Is there a user-mode service or component that interacts with your
driver? You could possibly have a side device as a control device which
you could use the user mode service to inform the driver of the PID of
the lanman service. Then on MJ_IRP calls you simply get the PID of the
process making the request and compare (provided you are in the context
of the calling process).

PsGetCurrentProcessId

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/k108_e38b09ef-d948-4eb9-bfdd-24b25ba55034.xml.asp

Thanks,

Toby

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shangwu
Sent: Monday, February 28, 2005 3:17 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to distinguish an IRP from SVR.sys?

Hello,

My filter driver needs to distinguish requests from a local user or a
remote
user. Is there a simple way to distinguish IRPs originated from lanman
server or some user mode programs?
Any response is appreciated.

Shangwu


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@opferman.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Ummm, well, maybe I didn’t understand your reply,
but AFAIK the requests from SRV.sys (SVR ?)
are always in the context of the system process
(ID = 4), so PsGetCurrentProcessID does not
help here …

-Any- response? That’s looking for trouble…

Try FILE_REMOTE_DEVICE in DeviceObject->Characteristics.

From: “Toby Opferman”
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: RE: [ntfsd] How to distinguish an IRP from SVR.sys?
>Date: Mon, 28 Feb 2005 23:26:03 -0800
>
>Is there a user-mode service or component that interacts with your
>driver? You could possibly have a side device as a control device which
>you could use the user mode service to inform the driver of the PID of
>the lanman service. Then on MJ_IRP calls you simply get the PID of the
>process making the request and compare (provided you are in the context
>of the calling process).
>
>PsGetCurrentProcessId
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
>hh/kmarch/k108_e38b09ef-d948-4eb9-bfdd-24b25ba55034.xml.asp
>
>
>Thanks,
>
>Toby
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Shangwu
>Sent: Monday, February 28, 2005 3:17 PM
>To: Windows File Systems Devs Interest List
>Subject: [ntfsd] How to distinguish an IRP from SVR.sys?
>
>Hello,
>
>My filter driver needs to distinguish requests from a local user or a
>remote
>user. Is there a simple way to distinguish IRPs originated from lanman
>server or some user mode programs?
>Any response is appreciated.
>
>Shangwu
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@opferman.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

You can do following to detect that IRP_MJ_CREATE is originated in SRV:

  1. Check that the current thread is impersonated
    (PsReferenceImpersonationToken is not null)
  2. Call SeQueryInformationToken for impersonation token with
    TokenInformationClass == TokenSource. SourceName in the output structure
    allows to identify the component that performed impersonation - there is a
    predefiend value that matches SVR.

You need to store FILE_OBJECT from IRP_MJ_CREATE in a lookup table and check
the table to identify source of other (not IRP_MJ_CREATE) IRPs.

Alexei.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Centis Biks
Sent: Tuesday, March 01, 2005 10:35 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] How to distinguish an IRP from SVR.sys?

-Any- response? That’s looking for trouble…

Try FILE_REMOTE_DEVICE in DeviceObject->Characteristics.

From: “Toby Opferman”
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: RE: [ntfsd] How to distinguish an IRP from SVR.sys?
>Date: Mon, 28 Feb 2005 23:26:03 -0800
>
>Is there a user-mode service or component that interacts with your
>driver? You could possibly have a side device as a control device which
>you could use the user mode service to inform the driver of the PID of
>the lanman service. Then on MJ_IRP calls you simply get the PID of the
>process making the request and compare (provided you are in the context
>of the calling process).
>
>PsGetCurrentProcessId
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
>hh/kmarch/k108_e38b09ef-d948-4eb9-bfdd-24b25ba55034.xml.asp
>
>
>Thanks,
>
>Toby
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Shangwu
>Sent: Monday, February 28, 2005 3:17 PM
>To: Windows File Systems Devs Interest List
>Subject: [ntfsd] How to distinguish an IRP from SVR.sys?
>
>Hello,
>
>My filter driver needs to distinguish requests from a local user or a
>remote
>user. Is there a simple way to distinguish IRPs originated from lanman
>server or some user mode programs?
>Any response is appreciated.
>
>Shangwu
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@opferman.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@vmware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com