Hi All,
I have a minifilter driver and an application which basically monitors the loading of applications and allows the user to block or allow them to run.
In my minifilter I have a Pre-op callback for IRP_MJ_ACQUIRE_FOR_SECTION_SNYCHRONIZATION and it returns STATUS_ACCESS_DENIED when sections are loaded for PAGE_EXECUTE permissions.The mechanism, in terms ofgetting the job done seems to be working.
Back in userland however, once I block the application, let’s say for example notepad.exe, I get this Windows error dialog “The application or DLL C:\Windows\system32\WINSPOOL.drv is not a valid Windows image. Please check this against your installation diskett”
Is there something else that I need to be doing in my minifilter, or is this behaviour “normal” for this, and how do similiar commercial products surpress these messages?
Thanks!
Best wishes,
Kelvin
Hi Kelvin,
This behaviour is expected. If you notice, the IRP_MJ_CREATE operation has succeeded; this means that the file is opened. When you fail the IRP_MJ_ACQUIRE_FOR_SECTION_SNYCHRONIZATION request which is sent from the image loader, it assumes that the image was corrupted and hence you get this error.
I had also faced this problem and so decided to do it in IRP_MJ_CREATE itself. We checked for FILE_EXECUTE flag. However, the caller might just be lame programmer and might set file all access (including FILE_EXECUTE). However, one thing is guaranteed: For a file to execute, it should have been opened with FILE_EXECUTE flag. So, you might consider doing it in IRP_MJ_CREATE itself.
You can also check the archives for this problem. We had a discussion regarding this long time back.
Regards,
Ayush Gupta
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
Hi Ayush,
Thanks for your reply. If you could help me dig up that thread that would be super.
If I were to do the checking in IRP_MJ_CREATE, and complete the operation there, I would assume that Windows would also display some sort of an “image does not exist” promt.
I’m think is there any way to prevent any prompts altogether.
One idea that I’m toying with is to somehow replace the original image with my own trusted image, and just let Windows load that instead. That way, Windows will think everything went as expected.
Not sure if it’s possible to replace an image, or if there’s any official or documented way of doing it. I’m trying not to get involved in hooking NtCreateFile() or NtCreateSection() as it just falls apart in Vista.
Any thoughts?
Best wishes,
Kelvin
If you return STATUS_ACCESS_DENIED, then proper error message comes, saying “access is denied”.
— On Mon, 2/2/09, xxxxx@gmail.com wrote:
> From: xxxxx@gmail.com
> Subject: RE:[ntfsd] Issue Blocking Image Load of Executables
> To: “Windows File Systems Devs Interest List”
> Date: Monday, 2 February, 2009, 12:22 PM
> Hi Ayush,
>
> Thanks for your reply. If you could help me dig up that
> thread that would be super.
>
> If I were to do the checking in IRP_MJ_CREATE, and complete
> the operation there, I would assume that Windows would also
> display some sort of an “image does not exist”
> promt.
>
> I’m think is there any way to prevent any prompts
> altogether.
>
> One idea that I’m toying with is to somehow replace the
> original image with my own trusted image, and just let
> Windows load that instead. That way, Windows will think
> everything went as expected.
>
> Not sure if it’s possible to replace an image, or if
> there’s any official or documented way of doing it.
> I’m trying not to get involved in hooking NtCreateFile()
> or NtCreateSection() as it just falls apart in Vista.
>
> Any thoughts?
>
> Best wishes,
> Kelvin
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
Hi Ayush,
I tried to return a STATUS_ACCESS_DENIED, however I still get a lousy Windows error.
“The application failed to initialize properly (0xc0000022). Click on OK to terminate the application.”
What I did was do a:
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE;
is that what you did as well?
Best wishes,
Kelvin
Did you do it for a particular Dll or a EXE? Because incase of Dlls, the process which tried to load the Dll will cry.
But for EXE from which a process is being launched, it should work fine.
Regards,
Ayush Gupta
— On Mon, 2/2/09, xxxxx@gmail.com wrote:
> From: xxxxx@gmail.com
> Subject: RE:[ntfsd] Issue Blocking Image Load of Executables
> To: “Windows File Systems Devs Interest List”
> Date: Monday, 2 February, 2009, 1:43 PM
> Hi Ayush,
>
> I tried to return a STATUS_ACCESS_DENIED, however I still
> get a lousy Windows error.
>
> “The application failed to initialize properly
> (0xc0000022). Click on OK to terminate the
> application.”
>
> What I did was do a:
> Data->IoStatus.Status = STATUS_ACCESS_DENIED;
> return FLT_PREOP_COMPLETE;
>
> is that what you did as well?
>
> Best wishes,
> Kelvin
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
>I had also faced this problem and so decided to do it in IRP_MJ_CREATE itself. We checked for
FILE_EXECUTE flag. However, the caller might just be lame programmer
More so, the Windows shell seems to be written by these “lame programmers” and very often opens the file with FILE_EXECUTE access 
BTW, I have doubts that you can easily extract the icon from the EXE without opening it for FILE_EXECUTE. The thing is that to use the standard resource functions to access the icon, you will need the EXE to be mapped to memory as executable image, and using SEC_IMAGE in CreateFileMapping IIRC requires FILE_EXECUTE access.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>> Did you do it for a particular Dll or a EXE? Because incase of Dlls, the process
> which tried to load the Dll will cry.
I’m doing it for .EXE only so far.
What I’m doing is I actually keep track of all processes that are being created via their PID. So, in my pre-op function for Create, I’ll obtain the PID and look it up in my list. So for example, if Notepad is on my deny list, when I find a matching PID I’ll block it with an ACCESS_DENIED.
I’m not sure if that’s the best way to do it, but so far it’s doing it job.
Perhaps, if you don’t mind maybe you can share how you are doing it in your driver?
Best wishes,
Kelvin
Ayush,
Just to confirm, for your IRP_MJ_CREATE pre-op callback, you simply did a check for
if(Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_EXECUTE)
Best wishes,
Kelvin
Actually, I was hoping for some way to not even have any error prompts from Windows side. Reason being I want to just silently block the applications, and maybe do some background logging.
But we’ll see how it goes…
(New thread required as Lyris discriminates against successfully replying to any of Maxim’s posts.)
Are you sure that doesn’t map it as plain old data and not an image? I seem to recall it doing so and setting the low order address bit to indicate that it’s a data view (of course an implementation detail that shouldn’t be relied upon).
? S
-----Original Message-----
From: Maxim S. Shatskih
Sent: Monday, February 02, 2009 00:45
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Issue Blocking Image Load of Executables
>I had also faced this problem and so decided to do it in IRP_MJ_CREATE itself. We checked for
>FILE_EXECUTE flag. However, the caller might just be lame programmer
More so, the Windows shell seems to be written by these “lame programmers” and very often opens the file with FILE_EXECUTE access
BTW, I have doubts that you can easily extract the icon from the EXE without opening it for FILE_EXECUTE. The thing is that to use the standard resource functions to access the icon, you will need the EXE to be mapped to memory as executable image, and using SEC_IMAGE in CreateFileMapping IIRC requires FILE_EXECUTE access.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
About every message you send appears as a new subject. Tell your client to insert a space after Re: or just type a space. That will also put your message in context on the news server.
//Daniel
“Skywing” wrote in message news:xxxxx@ntfsd…
(New thread required as Lyris discriminates against successfully replying to any of Maxim’s posts.)
Are you sure that doesn’t map it as plain old data and not an image? I seem to recall it doing so and setting the low order address bit to indicate that it’s a data view (of course an implementation detail that shouldn’t be relied upon).
? S
-----Original Message-----
From: Maxim S. Shatskih
Sent: Monday, February 02, 2009 00:45
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Issue Blocking Image Load of Executables
>I had also faced this problem and so decided to do it in IRP_MJ_CREATE itself. We checked for
>FILE_EXECUTE flag. However, the caller might just be lame programmer
More so, the Windows shell seems to be written by these “lame programmers” and very often opens the file with FILE_EXECUTE access
BTW, I have doubts that you can easily extract the icon from the EXE without opening it for FILE_EXECUTE. The thing is that to use the standard resource functions to access the icon, you will need the EXE to be mapped to memory as executable image, and using SEC_IMAGE in CreateFileMapping IIRC requires FILE_EXECUTE access.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Sorry for my ignorance… is any of this related to my question?
Either that or I’m just not understanding what you’re saying…
Best wishes,
Kelvin
In this particular case, a new thread was intentionally started due to rejection of replies to Maxim (charset issue).
(Windows Mobile Exchange client, not a lot of tweaking options, unfortunately.)
? S
From: xxxxx@resplendence.com
Sent: Monday, February 02, 2009 08:37
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Re:Issue Blocking Image Load of Executables
About every message you send appears as a new subject. Tell your client to insert a space after Re: or just type a space. That will also put your message in context on the news server.
//Daniel
“Skywing” > wrote in message news:xxxxx@ntfsd…
(New thread required as Lyris discriminates against successfully replying to any of Maxim’s posts.)
Are you sure that doesn’t map it as plain old data and not an image? I seem to recall it doing so and setting the low order address bit to indicate that it’s a data view (of course an implementation detail that shouldn’t be relied upon).
? S
-----Original Message-----
From: Maxim S. Shatskih
Sent: Monday, February 02, 2009 00:45
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Issue Blocking Image Load of Executables
>I had also faced this problem and so decided to do it in IRP_MJ_CREATE itself. We checked for
>FILE_EXECUTE flag. However, the caller might just be lame programmer
More so, the Windows shell seems to be written by these “lame programmers” and very often opens the file with FILE_EXECUTE access
BTW, I have doubts that you can easily extract the icon from the EXE without opening it for FILE_EXECUTE. The thing is that to use the standard resource functions to access the icon, you will need the EXE to be mapped to memory as executable image, and using SEC_IMAGE in CreateFileMapping IIRC requires FILE_EXECUTE access.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Actually, I was hoping for some way to not even have any error prompts from Windows side
Not possible at all, as you can understand. If you fail CreateProcess at any stage, then the resulting error code will come back to Explorer or CMD, and they will show the error message.
“Access denied” is the proper error message.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> Are you sure that doesn’t map it as plain old data and not
an image? I seem to recall it doing so and setting the low
order address bit to indicate that it’s a data view (of course
an implementation detail that shouldn’t be relied upon).
Extracting resources should work with either an image or a data
mapping. Image mapping is usually more efficient because it
allows pages to be shared with already loaded instances of
the DLL, but it doesn’t work across architectures. This is why
starting with Vista the recommendation is to use both flags
(LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE)
when reading resources and let the loader choose the most
appropriate mapping method. I think this is what explorer does.
–
This posting is provided “AS IS” with no warranties, and confers no
rights.