In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4
layer
Now in my callout, in case the process that made the connection was svchost
, I want to extract the SID of the service, or service name (the goal is to find the service name at the end, using service's SID or not). This is because a single svchost process can have multiple services, and I want to know which service caused this connection. I am accessing the token similar to below,
token = (PTOKEN_ACCESS_INFORMATION)inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID].value.tokenAccessInformation->data
originalSid = token->SidHash->SidAttr->Sid;
...
UNICODE_STRING sidString;
status = RtlConvertSidToUnicodeString(&sidString, originalSid, TRUE);
I tried to extract the SID from the FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID
using RtlConvertSidToUnicodeString
hoping it would be the service's SID, but it gives me the user's SID instead.
So my question is, in my callout or afterwards, in case an svchost process makes a connection, how can I find it's corresponding service name?
The windows firewall, which is WFP based seems to be able to get the service name of a connection, because you can have service-based rules in the firewall.
And some open source projects have user mode codes similar to below:
public ServiceNameFilterCondition(string serviceName)
: base(ConditionKeys.FWPM_CONDITION_ALE_USER_ID, FieldMatchType.FWP_MATCH_EQUAL, $"O:SYG:SYD:(A;;CCRC;;;{GetServiceSidFromName(serviceName)})")
{
}
So it seems like they are assuming ALE_USER_ID
should contain service SID?
For example GitHub - pylorak/TinyWall: TinyWall is a free, non-intrusive, secure-by-default firewall for Windows.