Hi,
I have two requirements.
- I want to access Process data structures(Kernel mode).
- Get the control of a process…when it starts…what it is doing…etc
Which link I should refer?
regards
sreejesh
Hi,
I have two requirements.
Which link I should refer?
regards
sreejesh
> 1. I want to access Process data structures(Kernel mode).
Hardly possible, they do change from service pack to service pack.
- Get the control of a process…when it starts…what it is doing…etc
PsLoadImageNotifyRoutine and such.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Thanks…
How do I get user information(user name for which the process is started - in which context) about a process?
sreejesh
First some questions for you:
Regards,
Ayush Gupta
AI Consulting
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-396029-
xxxxx@lists.osr.com] On Behalf Of xxxxx@nestgroup.net
Sent: Tuesday, January 12, 2010 4:25 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Kernel Process ControlThanks…
How do I get user information(user name for which the process is
started - in which context) about a process?sreejesh
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> How do I get user information(user name for which the process is started - in which context)
Forget user names in the kernel. Use SIDs instead. User names are only for the UI.
Get the token, then SeQueryInformationToken(TokerUser).
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> Get the token, then SeQueryInformationToken(TokerUser).
How do I get the Token?
sreejesh
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Wednesday, January 13, 2010 1:19 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Kernel Process Control
How do I get user information(user name for which the process is
started - in which context)
Forget user names in the kernel. Use SIDs instead. User names are only
for the UI.
Get the token, then SeQueryInformationToken(TokerUser).
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
***** Confidentiality Statement/Disclaimer *****
This message and any attachments is intended for the sole use of the intended recipient. It may contain confidential information. Any unauthorized use, dissemination or modification is strictly prohibited. If you are not the intended recipient, please notify the sender immediately then delete it from all your systems, and do not copy, use or print. Internet communications are not secure and it is the responsibility of the recipient to make sure that it is virus/malicious code exempt.
The company/sender cannot be responsible for any unauthorized alterations or modifications made to the contents. If you require any form of confirmation of the contents, please contact the company/sender. The company/sender is not liable for any errors or omissions in the content of this message.
I got … PsReferencePrimaryToken works…
Thanks
sreejesh
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sreejesh S.
Sent: Wednesday, January 13, 2010 12:36 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Kernel Process Control
Get the token, then SeQueryInformationToken(TokerUser).
How do I get the Token?
sreejesh
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Wednesday, January 13, 2010 1:19 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Kernel Process Control
How do I get user information(user name for which the process is
started - in which context)
Forget user names in the kernel. Use SIDs instead. User names are only
for the UI.
Get the token, then SeQueryInformationToken(TokerUser).
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our
new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
***** Confidentiality Statement/Disclaimer *****
This message and any attachments is intended for the sole use of the
intended recipient. It may contain confidential information. Any
unauthorized use, dissemination or modification is strictly prohibited.
If you are not the intended recipient, please notify the sender
immediately then delete it from all your systems, and do not copy, use
or print. Internet communications are not secure and it is the
responsibility of the recipient to make sure that it is virus/malicious
code exempt.
The company/sender cannot be responsible for any unauthorized
alterations or modifications made to the contents. If you require any
form of confirmation of the contents, please contact the company/sender.
The company/sender is not liable for any errors or omissions in the
content of this message.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our
new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
***** Confidentiality Statement/Disclaimer *****
This message and any attachments is intended for the sole use of the intended recipient. It may contain confidential information. Any unauthorized use, dissemination or modification is strictly prohibited. If you are not the intended recipient, please notify the sender immediately then delete it from all your systems, and do not copy, use or print. Internet communications are not secure and it is the responsibility of the recipient to make sure that it is virus/malicious code exempt.
The company/sender cannot be responsible for any unauthorized alterations or modifications made to the contents. If you require any form of confirmation of the contents, please contact the company/sender. The company/sender is not liable for any errors or omissions in the content of this message.
>How do I get the Token?
Depends on the particular path.
Usually, people only need to do the security checks in MJ_CREATE handler.
In this case, Parameters.Create.SecurityContext helps - use ClientToken or PrimaryToken if ClientToken is NULL.
In other path, I can suggest to reverse-engineer OpenProcessToken and OpenThreadToken in kernel32.dll, determine the NtXxx syscalls they use, and call these syscalls from your kernel code.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com