Opening file from network

Hello, all

This is a revision of sometimes asked question
“How can I know that a file has been open from remote machine?”

Until now, I had no problems with determining that.
Within IRP_MJ_CREATE handler, I check for

if(IrpSp->Params->Create.SecurityContext->SecurityQoS != NULL)
{
if(IoGetCurrentProcess() == PointerToSystemProcessSavedInDriverEntry)
{
PSECURITY_SUBJECT_CONTEXT Subject =
&IrpSp->Params.Create.SecurityContext->AccessState->SubjectSecurityContext;

if(Subject->ClientToken != NULL)
{
OpenFromRemote = TRUE;
}
}
}

This approach worked until I encountered an attempt to open
a local file through network share on Win2003 server.
My filter causes sending a few requests following the CREATE
(some query infos and one non-cached read).
On the “server side”, there are a few CREATE requests coming,
having SRV on the call stack. However, these CREATEs are not
coherent from the point of remote/local request. I also tried to
check for FO_REMOTE_ORIGIN in the file object, but this
method fails too.

Did anyone of you ever needed to solve this kind of problem ?
Thank you for your eventual answers

L.

FWIW, I use the technique from the IFS FAQ from osronline.com:

“It is not possible to ascertain if the IRP is coming from a local process
or over the network for most operations. However, we have found that a
solution that works with IRP_MJ_CREATE is to examine the process context.
If the process is the system process, we then examine the impersonation
state of the given thread. If the thread is impersonating, our experience
indicates that it is, in fact, operating on behalf of a remote user.”

This results in code something like this:

PACCESS_TOKEN pImpToken = PsReferenceImpersonationToken( Data->Thread,
&CopyOnOpen, &EffectiveOnly, &ImpersonationLevel );

if( pImpToken != NULL && pThisProcessId == glpSystemProcessId )
{
status = SeQueryInformationToken( pImpToken, TokenSource, &lpTokenSource
);
bIsRemote = NT_SUCCESS(status) && ( strncmp(“NtLmSsp”,
lpTokenSource->SourceName, 7) == 0 );
}

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Wednesday, January 25, 2006 9:25 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Opening file from network

Hello, all

This is a revision of sometimes asked question
“How can I know that a file has been open from remote machine?”

Until now, I had no problems with determining that.
Within IRP_MJ_CREATE handler, I check for

if(IrpSp->Params->Create.SecurityContext->SecurityQoS != NULL)
{
if(IoGetCurrentProcess() == PointerToSystemProcessSavedInDriverEntry)
{
PSECURITY_SUBJECT_CONTEXT Subject =
&IrpSp->Params.Create.SecurityContext->AccessState->SubjectSecurityContext;

if(Subject->ClientToken != NULL)
{
OpenFromRemote = TRUE;
}
}
}

This approach worked until I encountered an attempt to open
a local file through network share on Win2003 server.
My filter causes sending a few requests following the CREATE
(some query infos and one non-cached read).
On the “server side”, there are a few CREATE requests coming,
having SRV on the call stack. However, these CREATEs are not
coherent from the point of remote/local request. I also tried to
check for FO_REMOTE_ORIGIN in the file object, but this
method fails too.

Did anyone of you ever needed to solve this kind of problem ?
Thank you for your eventual answers

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Another FWIW!

I had to check for “Kerberos” not just “NtLmSsp” in my code.

Ben

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 25 January 2006 15:06
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Opening file from network

FWIW, I use the technique from the IFS FAQ from osronline.com:

“It is not possible to ascertain if the IRP is coming from a local
process or over the network for most operations. However, we have found
that a solution that works with IRP_MJ_CREATE is to examine the process
context.
If the process is the system process, we then examine the impersonation
state of the given thread. If the thread is impersonating, our
experience indicates that it is, in fact, operating on behalf of a
remote user.”

This results in code something like this:

PACCESS_TOKEN pImpToken = PsReferenceImpersonationToken( Data->Thread,
&CopyOnOpen, &EffectiveOnly, &ImpersonationLevel );

if( pImpToken != NULL && pThisProcessId == glpSystemProcessId ) {
status = SeQueryInformationToken( pImpToken, TokenSource,
&lpTokenSource );
bIsRemote = NT_SUCCESS(status) && ( strncmp(“NtLmSsp”,
lpTokenSource->SourceName, 7) == 0 );
}

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Wednesday, January 25, 2006 9:25 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Opening file from network

Hello, all

This is a revision of sometimes asked question “How can I know that a
file has been open from remote machine?”

Until now, I had no problems with determining that.
Within IRP_MJ_CREATE handler, I check for

if(IrpSp->Params->Create.SecurityContext->SecurityQoS != NULL) {
if(IoGetCurrentProcess() ==
PointerToSystemProcessSavedInDriverEntry)
{
PSECURITY_SUBJECT_CONTEXT Subject =
&IrpSp->Params.Create.SecurityContext->AccessState->SubjectSecurityConte
xt;

if(Subject->ClientToken != NULL)
{
OpenFromRemote = TRUE;
}
}
}

This approach worked until I encountered an attempt to open a local file
through network share on Win2003 server.
My filter causes sending a few requests following the CREATE (some query
infos and one non-cached read).
On the “server side”, there are a few CREATE requests coming, having SRV
on the call stack. However, these CREATEs are not coherent from the
point of remote/local request. I also tried to check for
FO_REMOTE_ORIGIN in the file object, but this method fails too.

Did anyone of you ever needed to solve this kind of problem ?
Thank you for your eventual answers

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com