Hi ,
Can someone help me to figure out if a process is still active and running.
I maintain a particular processid list in my driver and like to check their status frequently.
Can I use the return value of PsLookupProcessByProcessId for this purpose?
Thanks!
PIDs can be quickly recycled, so no you can’t periodically poll for them. Why do you need to keep a list?
d
debt from my phone
From: xxxxx@yahoo.com
Sent: 12/27/2011 3:46 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] is process still alive?
Hi ,
Can someone help me to figure out if a process is still active and running.
I maintain a particular processid list in my driver and like to check their status frequently.
Can I use the return value of PsLookupProcessByProcessId for this purpose?
Thanks!
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I am writing a filter driver to control access to a particular pnp device. Driver stores process ids that wants to access the device , stores pending irps, then asks user a password (to client gui) and either block or allow stream.
Each irp is checked against the process list and it is either just passed to next driver or completed with access_denied.So I need a process list in the driver rather asking gui for each IRP going through.
Take a look at the Windows Filtering Platform, assuming your real task is to produce a filter that blocks incoming or outgoing streams.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Dec 27, 2011, at 6:31 PM, xxxxx@yahoo.com wrote:
I am writing a filter driver to control access to a particular pnp device. Driver stores process ids that wants to access the device , stores pending irps, then asks user a password (to client gui) and either block or allow stream.
Each irp is checked against the process list and it is either just passed to next driver or completed with access_denied.So I need a process list in the driver rather asking gui for each IRP going through.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
brilliant idea !
A better idea would be to take a look at the whole MSDN. I am sure all answers are in it.
Very helpful.Thanks.
Wfp only works for networking streams. For local apps, store the peprocess in your list, not the pid itself. You can then get the requesting process for an io via IoGetRequestorProcess, http://msdn.microsoft.com/en-us/library/windows/hardware/ff548385(v=vs.85).aspx. Note that for storage and some other stacks, you may not be high enough in the stack to see the requesting process
d
debt from my phone
From: xxxxx@yahoo.com
Sent: 12/27/2011 5:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] is process still alive?
brilliant idea !
A better idea would be to take a look at the whole MSDN. I am sure all answers are in it.
Very helpful.Thanks.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
it wont be a storage device for sure. It is basically a special 3d scanner needs to work with only a certain software.
Thank you Doron.peprocess it is!
Sorry for hijacking your post Arif.
>>>> Note that for storage and some other stacks, you may not be high enough in the
stack to see the requesting process.
Doron, in storage stack is there a place where a filter can see the requesting process? A FS mini filter? Thank you.
Yes, I think the FS minifilter is where you get visibility to the calling process
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 27, 2011 6:45 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] is process still alive?
Sorry for hijacking your post Arif.
>>>> Note that for storage and some other stacks, you may not be high enough in the
stack to see the requesting process.
Doron, in storage stack is there a place where a filter can see the requesting process? A FS mini filter? Thank you.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
When someone says “I have a way to protect X against Y” my first response
is to try to come up with several ways of cracking that protection.
Knowing what “process” is involved seems to me to be really a ridiculously
simplistic approach that could be cracked trivially.
A more secure mechanism would be to let any process open the device, but
require a challenge-response (using a DeviceIoControl) to enable activity.
If the challenge-response is met, you let things go through; if not,
every attempt to use the device is refused with an error indication.
Challenge-response algorithms are well-understood technology.
Exactly how knowing what “process” is in use is not very informative;
something useful must be known about that process, and whatever it is, I
can probably fake it easily. But then, I’ve been thinking about computer
security issues for decades. I started working in computer security in
1975.
The whole idea of somehow magically detecting that the “process” is valid
seems deeply flawed.
joe
Yes, I think the FS minifilter is where you get visibility to the calling
process-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, December 27, 2011 6:45 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] is process still alive?Sorry for hijacking your post Arif.
>>>>> Note that for storage and some other stacks, you may not be high
>>>>> enough in the
stack to see the requesting process.Doron, in storage stack is there a place where a filter can see the
requesting process? A FS mini filter? Thank you.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Unless your challenge-response mechanism is set at IRP level, (which would be really ,really expensive) , you are wrong. We are talking about loose IRP packets subject to manipulation anywhere in the stack. I can easily mimic a process’ IRPs after authentication and put it back to its original state(I mean changing its owner) somewhere in the stack close to user.
At that point you are a driver in the stack with full trust and an admin needed to have installed it, manipulating the process information in the irp is the minimum you can do to be nasty, there are a lot worse things that are possible. Does that mean his scheme is foolproof? No, it isn’t. It does provide a barrier to entry though.
d
debt from my phone
From: xxxxx@yahoo.com
Sent: 12/27/2011 8:28 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] is process still alive?
Unless your challenge-response mechanism is set at IRP level, (which would be really ,really expensive) , you are wrong. We are talking about loose IRP packets subject to manipulation anywhere in the stack. I can easily mimic a process’ IRPs after authentication and put it back to its original state(I mean changing its owner) somewhere in the stack close to user.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I still believe identifying a particular process is smarter than requiring every related user app to provide some sort of authentication to the driver.
Identifying a process can vary from strcmp of the image path name to hashing the whole image. It doesn’t have to be trivial.
Security by image name is way less secure than what he proposes
d
debt from my phone
From: xxxxx@yahoo.com
Sent: 12/27/2011 9:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] is process still alive?
I still believe identifying a particular process is smarter than requiring every related user app to provide some sort of authentication to the driver.
Identifying a process can vary from strcmp of the image path name to hashing the whole image. It doesn’t have to be trivial.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Oh my intention was to give a bad example with a good one(hashing)
Sent from my iPhone
On Dec 28, 2011, at 12:31 AM, Doron Holan wrote:
> Security by image name is way less secure than what he proposes
>
> d
>
> debt from my phone
> From: xxxxx@yahoo.com
> Sent: 12/27/2011 9:07 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] is process still alive?
>
> I still believe identifying a particular process is smarter than requiring every related user app to provide some sort of authentication to the driver.
> Identifying a process can vary from strcmp of the image path name to hashing the whole image. It doesn’t have to be trivial.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
When you get the CREATE IRP, validate the process (EPROCESS) and do ObReferenceObject on it. When you get IO requests on that handle, check if the current EPROCESS is equal to the saved one. When you get the CLOSE IRP, dereference the process (ObDereferenceObject).
Hi Arif,
As Doron said, Polling process object via PsLookupProcessByProcessId is not
reliable.
Can someone help me to figure out if a process is still active and running.
I maintain a particular processid list in my driver and like to check
their status frequently.
Why not creating a system thread and make it do the dirty job of Waiting on
multiple Process Objects + Control Event.
If Process terminates, it will be signalled…
Whenever you need to add a new process to the list, you can signal the
control event and after adding new Process to your list, your thread may
start waiting again.
Hope it helps…
Emre
On Wed, Dec 28, 2011 at 1:45 AM, wrote:
> Hi ,
> Can someone help me to figure out if a process is still active and running.
> I maintain a particular processid list in my driver and like to check
> their status frequently.
>
> Can I use the return value of PsLookupProcessByProcessId for this purpose?
>
> Thanks!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Emre thanks for the idea.I will have a look at it.
And thanks everybody.
This site rocks.I learned a lot.
Arif