Hi All,
I donot want to restrict handle access. Using ObCallbacks I want to get
notified about when a Process is accessing another process’s Section Object
or another process in Section Object. example:
ZwMapViewOfSection/UnmapviewOfSection/ZwOpenSection.
Using minifilter driver we can know which file on disk is going to be part
of section object which is not good enough.
In Windows Events after enabling auditing , we get an event Object
Accessed. I donot remember the eventid now … sorry.
Similarly, I am trying to develop notification against Section Object.
On Wed, Sep 10, 2014 at 10:34 PM, Tracy Camp wrote:
> There are lots of issues with actual sandboxing beyond access rights since
> a true sandboxing driver with “good” application compatibility is a form of
> virtualization driver. I’m more thinking about a large subset of drivers
> that exist to simply monitor and restrict access that tend to show up in AV
> products. There are also a host of object types that don’t appear in the
> file system stack that are still of interest, job objects, (named)
> sections, semaphores etc. which is probably what the original Op was really
> after in the first place. Solutions exist for these problems, but they
> tend to be in the ‘creative design space’ which is generally a bad thing to
> have to do.
>
> I’ve said it before, but I’ll repeat it again - just because the OS
> doesn’t provide a clean and supportable means to do something, in NO WAY
> stops those things from being done. My personal feelings and desires about
> implementing good design have almost no bearing when balanced against my
> desire to continue to pay my mortgage, feed my kids etc. (don’t kid
> yourself, we are all mercenaries) As such to quote an pop-culture-axiom
> of biology “Nature finds a way”.
>
> t.
>
> On Wed, Sep 10, 2014 at 8:39 AM, Peter Scott
> wrote:
>
>>
>> One comment here, simply restricting handle access through the use of the
>> Ob callback (if it were available for all handles types) won’t work for
>> sandboxing processes in general on Windows. You end up with a slew of cases
>> where restricting access rights will end up breaking how the process
>> operates and thus you must revert to a copy-on-write file system layer to
>> achieve sandboxing, not to mention registry, named pipe, sockets, etc. You
>> can restrict cross-process handle inheritance correctly through these
>> callbacks which is a requirement for sandboxing a process group though.
>>
>> Pete
>>
>>
>> On 9/9/2014 4:03 PM, Tracy Camp wrote:
>>
>> Except you can’t with with named section objects that way at all. Using
>> the acquirefor callbacks in this manner is really just benefiting from a
>> side effect of what was intended to be a lock-hierarchy callback. The Ob
>> callback is altogether a much better way to have designed the whole mess -
>> most filters being written aren’t actually doing much interesting with
>> the file system, they just want to monitor and sometimes restrict activity.
>> Some other OSes I’ve been doing some reading about with capital letters in
>> their names appear to have understood that and pretty much just shunt
>> everything through something that looks like the Ob callbacks.
>>
>> Microsoft - if you want to do something about filter driver
>> quality/performance/complexity etc. - make it so we don’t have to write
>> filter drivers at all for those applications and just finish the job with
>> the ob callbacks please.
>>
>> t.
>>
>> On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea
>> wrote:
>>
>>> It is easy to enable for all object types but will bug check on windows
>>> 8 64 bit and above with critical structure corruption, so not usable.
>>> Use the PreAcquireForSectionSynchronization callback instead
>>> On Sep 6, 2014 7:09 AM, wrote:
>>>
>>>> Hi all,
>>>> How can we enable callbacks for objects other than
>>>> PsProcessType/PsThreadType???
>>>> Example Code is appreciated.
>>>> If not code, atleast some pointers?
>>>>
>>>> Note: Please donot suggest googling. I am already googling the topic.
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>>
>>>> OSR is HIRING!! See http://www.osr.com/careers
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>> — NTDEV is sponsored by OSR Visit the list at:
>>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> –
>> Kernel Drivers
>> Windows File System and Device Driver Consultingwww.KernelDrivers.com
>> 866.263.9295
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>