For example, a Notepad.exe opening a TEST.TXT file, Notepad.exe is the “Caller”.
I am using ZwQueryInformationProcess() with option ProcessImageFileName to retrieve the Caller successfully under XP above but not in Windows 2000,
because ZwQueryInformationProcess() is only available in XP or above only.
…under minifilter driver, how to find the Caller in Windows 2000 ?
Any help or reference will be appreciated :o)
from the link that works on XP above but not in Windows 2000.
http://www.osronline.com/article.cfm?article=472
I did came across PsSetLoadImageNotifyRoutine() via:
http://www.osronline.com/showThread.CFM?link=115084
However, under notify routine, FullImageName only refers to an image loaded only,
when Notepad.exe opening TEST.TXT, Notepad.exe (Caller) may be scanned by antivirus
such as:
\Device\HarddiskVolume2\Program Files\Microsoft Security Client\MsMpEng.exe
In Windows 2000, how do I possibly know or trap the right Caller ( in this case is Notepad.exe )
is opening TEST.TXT ? Since, there are other .exe may be loaded and notified as well ?
You can achieve this by keeping track of the process ID and the image
name being loaded by that process using the
PsSetLoadImageNotifyRoutine(). You can use the
PsSetCreateProcessNotifyRoutine() to know when processes are created and
destroyed.
Using this information in combination with getting the process ID in the
pre-create callback you can match them and know which process is opening
a given file.
Pete
On 4/3/2013 3:24 AM, xxxxx@yahoo.com wrote:
I did came across PsSetLoadImageNotifyRoutine() via:
http://www.osronline.com/showThread.CFM?link=115084However, under notify routine, FullImageName only refers to an image loaded only,
when Notepad.exe opening TEST.TXT, Notepad.exe (Caller) may be scanned by antivirus
such as:\Device\HarddiskVolume2\Program Files\Microsoft Security Client\MsMpEng.exe
In Windows 2000, how do I possibly know or trap the right Caller ( in this case is Notepad.exe )
is opening TEST.TXT ? Since, there are other .exe may be loaded and notified as well ?
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Pete has given you the answer but step back and answer the question what
are you trying to do with this? There has been a lot of discussion on
this list, about using this information, and the mistakes people make if
they are trying to use this as a security check. So step back and let
us know why.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@KernelDrivers.com” wrote in message
news:xxxxx@ntfsd:
> You can achieve this by keeping track of the process ID and the image
> name being loaded by that process using the
> PsSetLoadImageNotifyRoutine(). You can use the
> PsSetCreateProcessNotifyRoutine() to know when processes are created and
> destroyed.
>
> Using this information in combination with getting the process ID in the
> pre-create callback you can match them and know which process is opening
> a given file.
>
> Pete
>
> On 4/3/2013 3:24 AM, xxxxx@yahoo.com wrote:
> > I did came across PsSetLoadImageNotifyRoutine() via:
> > http://www.osronline.com/showThread.CFM?link=115084
> >
> > However, under notify routine, FullImageName only refers to an image loaded only,
> > when Notepad.exe opening TEST.TXT, Notepad.exe (Caller) may be scanned by antivirus
> > such as:
> >
> > \Device\HarddiskVolume2\Program Files\Microsoft Security Client\MsMpEng.exe
> >
> > In Windows 2000, how do I possibly know or trap the right Caller ( in this case is Notepad.exe )
> > is opening TEST.TXT ? Since, there are other .exe may be loaded and notified as well ?
> >
> >
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > OSR is hiring!! Info at http://www.osr.com/careers
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
Pete, appreciated for the useful tricks given, I will implement it on Windows 2000.
Don, I am using it to control only dedicated host is granted to open
certain document extensions.
From your statement,
“mistakes people make if they are trying to use this as a security check…”
may I know what kind of mistake is that ? any link or reference will do :o)
The problem with trying this as a “security” mechanism is how accurately
you validate the caller. I can think of several ways to bypass the
trivial techniques, and give you scenarios where more elaborate mechanisms
fail to allow legitimate users to access it. Why does a device even
/need/ protection-by-hack when there is a documented, supported
protection-by-ACL mechanism already in place.
I used to be active in another newsgroup, where, on a weekly basis,
soebody would present a p-baked idea (p==0.5 is half-baked) for p
typically < 0.1 and someti es less than 0.05. So my first reaction when
someone tries to propose some “security” mechanism, the chances that its
design is deeply flawed tend to be arbitrarily close to 1.0. The “I only
want this device accessed by program X” seems to be one of the common
designs. With more than 20 years of Windows experience, I cannot figure
out how to write such a filter driver, because every scheme based on
program name is trivial to defeat or too restrictive to work correctly in
real environments.
There ARE reliable techniques; a secure-key-exchange mechanism initiated
by the app can work, but you need to uderstand some cryptography to
understand how to do this right. But any question that starts “How can I
get the caller…” can only end badly. Perhaps it is because I used to
teach courses on how to crack Windows, to DoD security types, that I
understand all the ways these low-p-designs can fail. I would suggest
either using ACLs, or use suitably powerful cryptographic key exchange.
The best key exchange would be implemented by putting the secure key in
the device itself.
Knowing the caller is not only irrelevant, it is a broken idea from the
start.
joe
Pete, appreciated for the useful tricks given, I will implement it on
Windows 2000.Don, I am using it to control only dedicated host is granted to open
certain document extensions.From your statement,
“mistakes people make if they are trying to use this as a security
check…”
may I know what kind of mistake is that ? any link or reference will do
:o)
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer