i want to find out whetehr an IOCTL sent to me was actually sent by my
controller program or not.
How do I do it?
First, to send an IOCTL your program must open your driver’s device object, check this while processing IRP_MJ_CREATE.
Second, IOCTLs are sent in the context of the caller( but upper filters may pend IOCTL request ) and if the FO used to sent IOCTL opened as synchronous you can use IoGetRequestorProcess() to get the caller’s process.
“Bedanto” wrote in message news:xxxxx@ntfsd…
i want to find out whetehr an IOCTL sent to me was actually sent by my controller program or not.
How do I do it?
>First, to send an IOCTL your program must open your driver’s device object,
check this while processing IRP_MJ_CREATE.
How to know that? If My controller app is called abc.exe there could be
another abc.exe running that can open the driver too?
Second, IOCTLs are sent in the context of the caller( but upper filters may
pend IOCTL request ) and if the FO used to sent IOCTL opened >as synchronous
you can use IoGetRequestorProcess() to get the caller’s process.
Same issue here. I need a way to know whether the process with say pid n
sending me the IOCTL is actually the controller application I wrote.
I suggest you to read about communications through an unsecure channel.
“Bedanto” wrote in message news:xxxxx@ntfsd…
>First, to send an IOCTL your program must open your driver’s device object, check this while processing IRP_MJ_CREATE.
How to know that? If My controller app is called abc.exe there could be another abc.exe running that can open the driver too?
>Second, IOCTLs are sent in the context of the caller( but upper filters may pend IOCTL request ) and if the FO used to sent IOCTL opened >as synchronous you can use IoGetRequestorProcess() to get the caller’s process.
Same issue here. I need a way to know whether the process with say pid n sending me the IOCTL is actually the controller application I wrote.
Bedanto,
First, if your looking for 100% security your day-dreaming. There is no such thing, so learn to live with it.
“If My controller app is called abc.exe there could be another abc.exe running that can open the driver too?” - When your abc.exe starts, have it send it’s PID to the driver. After that, fail anything else that trys to send an IOCTL to your driver.
“I need a way to know whether the process with say pid n sending me the IOCTL is actually the controller application I wrote.” - You can authenticate to a degree here, app’s hash + system time = blahhhhh, and then in the driver preform the same calculation and look for a match(the driver should know the original exe hash). There are a ton of things you can do, just remember, nothing is secure. Security is an illusion companies sell.
m.
> Same issue here. I need a way to know whether the process with say pid n
sending me the IOCTL is actually the controller application I wrote.
Create a separate special user account with the sole purpose of running your
controller app. Run it as a service under this user.
Check for the user SID in MJ_CREATE path of your driver.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hello maxim, Matt and others,
“First, if your looking for 100% security your day-dreaming. There is no
such thing, so learn to live with it.”
No, I am looking for a decent enough solution.
"When your abc.exe starts, have it send it’s PID to the driver. After that,
fail anything else that trys to send an IOCTL to your driver. "
This wont help, what if some other abc.exe starts before the original one?
“You can authenticate to a degree here, app’s hash + system time = blahhhhh,
and then in the driver preform the same calculation and look for a match(the
driver should know the original exe hash).”
How to find hash of process in kernel mode? do i have to port some of the
user land freeware open source libraries or write my own. Or does microsoft
provide soem support libraries in kernel for this ?
" There are a ton of things you can do"
like? Can you give me some other examples also?
maxim,
“Create a separate special user account with the sole purpose of running
your
controller app. Run it as a service under this user.”
can you elaborate a bit more on this please. i am a newbie, and dont know
how to go abt it.
“When your abc.exe starts, have it send it’s PID to the driver”
no matt, this is not too good either, what if the spurious app starts before
the original one ???
Matt probably thought of a dedicated IOCTL to send the PID to your driver.
The offending app would need to know about this.
Else
|---------±-------------------------------->
| | amitr0 |
| | |
| | Sent by: |
| | bounce-256193-18867@li|
| | sts.osr.com |
| | |
| | |
| | 07/13/2006 01:03 PM |
| | Please respond to |
| | “Windows File Systems |
| | Devs Interest List” |
|---------±-------------------------------->
>-------------------------------------------------------------------------------------------------------------|
| |
| To: “Windows File Systems Devs Interest List” |
| cc: |
| Subject: Re: [ntfsd] IOCTL (Unsigned Mail) |
>-------------------------------------------------------------------------------------------------------------|
“When your abc.exe starts, have it send it’s PID to the driver”
no matt, this is not too good either, what if the spurious app starts
before the original one ???
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: xxxxx@utimaco.de To unsubscribe send a blank email to
xxxxx@lists.osr.com
"When your abc.exe starts, have it send it’s PID to the driver. After that, fail anything else that trys to send an IOCTL to your driver. "
“This wont help, what if some other abc.exe starts before the original one?”
- irrelevate if some sort of authentication is used.
“You can authenticate to a degree here, app’s hash + system time = blahhhhh, and then in the driver preform the same calculation and look for a match(the driver should know the original exe hash).”
“How to find hash of process in kernel mode? do i have to port some of the user land freeware open source libraries or write my own. Or does microsoft provide some support libraries in kernel for this ?” - You don’t nessisarly have to actually hash; actually, I was kinda thinking of some sort of PKI exchange between user/kernel land. None the less, your own crypto routines spread between user and kernel land would be a nasty buger to debug/disassmble. Thus, you gain a little security there.
Regarding hashing in kernel land, there is no documented way. There is one library in the kernel that does perform crypto routines, but MS hasn’t documented it - and highly recommends you don’t use it. On tne brighter side, hashing a file in kernel land isn’t that hard; most open source code can easily be converted in a short time.
" There are a ton of things you can do"
“like? Can you give me some other examples also?” - you could do anything from a lame password sent to the driver to some sort of logical challenge(formula based on some random system var).
“Create a separate special user account with the sole purpose of running your
controller app. Run it as a service under this user.” - if you do this using install shield or wise, I’d love to decompile your install package and get those sripts if you do this wrong; that is if I liked your software and was an evil keygen writer.
m.
“your own crypto routines spread between user and kernel land would be a
nasty buger to debug/disassmble”
…and it would be a nasty thing to write your own security lib too ( this
is not my line, but that of a well known security expert).
How do I tell my driver the SID of the user account I have created? Is there
an API in kernel mode to find out the sid of any acccount?
“Bedanto” wrote in message news:xxxxx@ntfsd…
> How do I tell my driver the SID of the user account I have created? Is
> there an API in
> kernel mode to find out the sid of any acccount?
IIRC, there is in recent releases of XP/2003 such a kernel mode API.
However, you shouldn’t count on it being there. In kernel mode, you
generally deal only with SIDs – names are a user-space concept. In user
space, the LookupAccountName and LookupAccountSid functions handle the
mapping of user names to SIDs.
Here’s a couple of ideas on how to pass the SID to your driver:
1. Have a service kick off on system startup; it calls LookupAccountName,
passing the name of the user account you created. LookupAccountName should
return the SID of this account; you then send the SID down to your driver
via an IOCTL.
2. During installation of your driver, create the user account. Save the
user account’s SID in the registry somewhere where your driver can reach it
(e.g. HKLM\System\CurrentControlSet\Services<your driver>\Parameters).
Then when your driver starts up, it can read the SID from the registry.
Note that each of these approaches would need extra security steps to
protect against unauthorized changes. I leave those as an exercise for the
reader 
" I leave those as an exercise for the
reader :-)"
…er…the reader in this case is also ME, a novice into this, so I woul be
grateful if you can elaborate, personal mails are welcome too. Hope bedanto
is in a better position than me to excercise