Hi All,
I have two machines let us say M1 and M2 and I am filtering Network file
system on M1 and if M2 tries to read a file on M1.
Does the filter driver on M1 receive the call, if not which component on M1
receives the request first and directs to the local file system driver on
M1.
The things that I observed are if user on M1 tries to access the file on
network the filter driver is getting the request but if some other system
like M2 accesses the files on M1 the filter is not getting any request.
Any information is helpful.
Thanks and Regards,
Kedar.
Join BharatMatrimony.com.
http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?72 Unmarried? Join
Free.
Such requests are seen as simple local file access, as that is what is accessed
in your case. You can tell whether a local file is accessed as a result of local or
network component by checking the token during IRP_MJ_CREATE.
So, to filter what you need you need to filter local file systems as well.
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Hi Dejan,
Which token of IRP_MJ_CREATE will give us whether a local file is accessed
as a result of local or
network component.
Also can we get the details of the network component like for which network
system(system name) this call has been generated.
Thanks,
Kedar.
Apply to 50,000 jobs now. http://go.msnserver.com/IN/45531.asp Post your CV
on naukri.com today.
#define SRV_TOKEN_SOURCE “NtLmSsp”
Remember to do the checks in the context of the system process. If the current
process is not the system process, assume it is not a network request.
Regards, Dejan.
kedar n wrote:
Hi Dejan,
Which token of IRP_MJ_CREATE will give us whether a local file is accessed
as a result of local or
network component.
Also can we get the details of the network component like for which network
system(system name) this call has been generated.
Thanks,
Kedar.
Apply to 50,000 jobs now. http://go.msnserver.com/IN/45531.asp Post your CV
on naukri.com today.
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Hi Dejan,
Where part of IRP_MJ_CREATE contains this token and how to get details of
this, can we get detials like which domain name and target name.
Thanks,
Kedar.
“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
>
> #define SRV_TOKEN_SOURCE “NtLmSsp”
>
> Remember to do the checks in the context of the system process. If the
current
> process is not the system process, assume it is not a network request.
>
> Regards, Dejan.
>
> kedar n wrote:
>
> > Hi Dejan,
> >
> > Which token of IRP_MJ_CREATE will give us whether a local file is
accessed
> > as a result of local or
> > network component.
> >
> > Also can we get the details of the network component like for which
network
> > system(system name) this call has been generated.
> >
> > Thanks,
> > Kedar.
> >
> > _________________________________________________________________
> > Apply to 50,000 jobs now. http://go.msnserver.com/IN/45531.asp Post your
CV
> > on naukri.com today.
> >
> > —
> > Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption services.
> Alfa File Protector - File protection and hiding library for Win32
developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
All you need is the IRP. Get the process token, if IrpSp->Parameters.Create.
tokens are NULL. Here’s the code I use.
As for what domain/machine accessed the data - I don’t know off hand, but I’m
sure some similar code will do the trick:-)
Oh, and please don’t send me follow-ups via e-mail:-)
#define SRV_TOKEN_SOURCE “NtLmSsp”
BOOLEAN AlfaTE_IsSrvToken(IN PIRP Irp)
{
NTSTATUS ntRes;
PACCESS_TOKEN lpToken;
BOOLEAN EffectiveOnly, CopyOnOpen;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
PTOKEN_SOURCE lpTokenSource;
if(PsGetCurrentProcess() != lpSystemProcess)
{
return FALSE;
}
lpToken = PsReferenceImpersonationToken(Irp->Tail.Overlay.Thread,
&CopyOnOpen,
&EffectiveOnly,
&ImpersonationLevel);
if(!lpToken)
{
return FALSE;
}
ntRes = SeQueryInformationToken(lpToken,
TokenSource,
&lpTokenSource);
if(!NT_SUCCESS(ntRes))
{
PsDereferenceImpersonationToken(lpToken);
return FALSE;
}
if(strncmp(SRV_TOKEN_SOURCE, lpTokenSource->SourceName, 7))
{
PsDereferenceImpersonationToken(lpToken);
return FALSE;
}
PsDereferenceImpersonationToken(lpToken);
return TRUE;
}
Where part of IRP_MJ_CREATE contains this token and how to get details of this, can
we get detials like which domain name and target name.
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Hi Dejan,
The PsReferenceImpersonationToken() function is available only in XP, but I
wanted to do it under Windows 2000.
Is there any way for that, and from your code I observed that you are
checking whether the request is from NtLmSsp, but can we get further details
like
which host in the network actually generated the request.
I am trying to implement the code and will see the results.
Thanks,
Kedar.
All you need is the IRP. Get the process token, if
IrpSp->Parameters.Create.
tokens are NULL. Here’s the code I use.
As for what domain/machine accessed the data - I don’t know off hand,
but I’m
sure some similar code will do the trick:-)
Oh, and please don’t send me follow-ups via e-mail:-)
#define SRV_TOKEN_SOURCE “NtLmSsp”
BOOLEAN AlfaTE_IsSrvToken(IN PIRP Irp)
{
NTSTATUS ntRes;
PACCESS_TOKEN lpToken;
BOOLEAN EffectiveOnly, CopyOnOpen;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
PTOKEN_SOURCE lpTokenSource;
if(PsGetCurrentProcess() != lpSystemProcess)
{
return FALSE;
}
lpToken = PsReferenceImpersonationToken(Irp->Tail.Overlay.Thread,
&CopyOnOpen,
&EffectiveOnly,
&ImpersonationLevel);
if(!lpToken)
{
return FALSE;
}
ntRes = SeQueryInformationToken(lpToken,
TokenSource,
&lpTokenSource);
if(!NT_SUCCESS(ntRes))
{
PsDereferenceImpersonationToken(lpToken);
return FALSE;
}
if(strncmp(SRV_TOKEN_SOURCE, lpTokenSource->SourceName, 7))
{
PsDereferenceImpersonationToken(lpToken);
return FALSE;
}
PsDereferenceImpersonationToken(lpToken);
return TRUE;
}
Where part of IRP_MJ_CREATE contains this token and how to get details of
this, can
we get detials like which domain name and target name.
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
> The PsReferenceImpersonationToken() function is available only in XP, but I wanted
to do it under Windows 2000.
The function is definitely present under Windows 2000, as I’ve used it - it’s
not in the headers, but you can take the XP header definition.
Is there any way for that, and from your code I observed that you are
checking whether the request is from NtLmSsp, but can we get further details like
which host in the network actually generated the request.
I already answered this: Most probably is, but as I did not require it, I
never implemented it:-)
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Hi Dejan,
My idea to get the name of host in the network actually generated the
request is to get the SID associated with the current request and then using
some APIs to get the host name from SID for this i am using the function
SeQueryInformationToken as below:
SeQueryInformationToken(ptoken, TokenUser,
&lpTokenUSer) ;
The doumentation says the output struct lpTokenUser will have the SID of the
user but I see it blank in my driver.
Am I going the right direction to get the details of the system name.
Thanks,
Kedar.
The PsReferenceImpersonationToken() function is available only in XP, but
I wanted
to do it under Windows 2000.
The function is definitely present under Windows 2000, as I’ve used
it - it’s
not in the headers, but you can take the XP header definition.
Is there any way for that, and from your code I observed that you are
checking whether the request is from NtLmSsp, but can we get further
details like
which host in the network actually generated the request.
I already answered this: Most probably is, but as I did not require
it, I
never implemented it:-)
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.