Please help me with the PEB structure

OSR_Community_User · December 19, 2008, 5:10am

I found this in MSDN:

http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx

typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId;
} PEB, *PPEB;

Also:

typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

Header Winternl.h

I really don’t find this strucutres in Winternl.h file.

Please someone help me and tell me what to include so that I can use this strucutres in my filter dirver.

Ayush_Gupta-2 · December 19, 2008, 7:13am

Hi Lucian!

PLEASE NOTE THAT THIS IS LIST IS FOR FS DEVELOPMENT RELATED QUERIES.

Anyways, the answer to your question is:
Winternl.h of platform SDK v5.0 contains the definition for PEB but not for RTL_USER_PROCESS_PARAMETERS.
However, Winternl.h for SDK v6.1 contains both definitions.

Regards,
Ayush Gupta

OSR_Community_User · December 20, 2008, 4:07am

I needed this in FS filter driver in dispatch routines

Thank’s Ayush

Razvan_Hobeanu · December 20, 2008, 7:13am

One thing to keep in mind is that the PEB structure is prone to changes between Windows versions and even service packs. This means that you cannot access its members in a reliable and version-independent way.

Why do you need to read the PEB? Maybe there is a better (documented) way to do what you want.

Best regards,
Razvan

— On Sat, 12/20/08, xxxxx@inocentric.com wrote:

> From: xxxxx@inocentric.com
> Subject: RE:[ntfsd] Please help me with the PEB structure
> To: “Windows File Systems Devs Interest List”
> Date: Saturday, December 20, 2008, 11:07 AM
> I needed this in FS filter driver in dispatch routines
>
> Thank’s Ayush
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

Ken_Johnson · December 20, 2008, 10:23am

What are you going to use it for?

Remember that as the PEB resides within user mode and is user mode writable, you cannot trust its contents and must be extremely careful with your accesses to it.

For example, even attempting to traverse the user mode loaded module list via the PEB in kernel mode is pretty much doomed to failure by design.

? S

-----Original Message-----
From: xxxxx@inocentric.com
Sent: Saturday, December 20, 2008 01:07
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Please help me with the PEB structure

I needed this in FS filter driver in dispatch routines

Thank’s Ayush

—
NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · December 22, 2008, 2:40am

Hello

I am in a file system filter dirver.

I guess that dispatch routines, for IRP_MJ_READ & IRP_MJ_WRITE are executed in the user-mode thread context.

I want to know wich proces is reading or writing to that file. I need thsi in kernel mode.
So i used ZeQueryInformationProcess… but already I have some problems. It is not working good in every case.

I have read some osr post but I still don’t know the right way to get current process name in kernel mode.

Ayush_Gupta-2 · December 22, 2008, 3:47am

>I guess that dispatch routines, for IRP_MJ_READ & IRP_MJ_WRITE are executed in

the user-mode thread context.

This assumption is not correct. What about paging I/Os?

Regards,
Ayush Gupta

OSR_Community_User · December 22, 2008, 3:59am

sdfksdf  
sdf```

OSR_Community_User · December 22, 2008, 4:03am

I check the Irp->RequestorMode flag in my IRP_MJ_READ dispatch routine. If this flag is UserMode, Irp->UserBuffer pointer is valid only in this thread context.
I guess here in dispatch routine is the right place where I can call my function to obtain process name. I use this function:

NTSTATUS GetCurrentProcessImageName( PUNICODE_STRING ProcessImageName )
{
NTSTATUS Status;
ULONG ReturnedLength;
PVOID pBuffer;
PROCESS_BASIC_INFORMATION* pBasicInfo;
PPEB pPeb;
UNICODE_STRING UnicodeString;

if ( NULL == ZwQueryInformationProcess )
{
UNICODE_STRING RoutineName;

RtlInitUnicodeString( &RoutineName, L"ZwQueryInformationProcess" );
ZwQueryInformationProcess = ( QUERY_INFO_PROCESS )MmGetSystemRoutineAddress( &RoutineName );
if ( NULL == ZwQueryInformationProcess )
{
DbgPrint( “Cannot resolve ZwQueryInformationProcess\n” );
return STATUS_UNSUCCESSFUL;
}
}

pBuffer = ExAllocatePoolWithTag( NonPagedPool, sizeof( PROCESS_BASIC_INFORMATION ), ‘cuL’ );
if ( NULL == pBuffer ) return STATUS_INSUFFICIENT_RESOURCES;

ReturnedLength = 0;
Status = ZwQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
pBuffer,
sizeof( PROCESS_BASIC_INFORMATION ),
&ReturnedLength );

if ( STATUS_SUCCESS != Status )
{
DbgPrint( “ZwQueryInformationProcess failed\n” );
ExFreePoolWithTag( pBuffer, ‘cuL’ );
return STATUS_UNSUCCESSFUL;
}

pBasicInfo = ( PROCESS_BASIC_INFORMATION* )pBuffer;
pPeb = pBasicInfo->PebBaseAddress;
if ( NULL == pPeb )
{
if ( pBasicInfo->UniqueProcessId == 4 ) RtlInitUnicodeString( &UnicodeString, L"System" );
else RtlInitUnicodeString( &UnicodeString, L"" );
RtlCopyUnicodeString( ProcessImageName, &UnicodeString );
}
else
{
RtlCopyUnicodeString( ProcessImageName, &pPeb->ProcessParameters->ImagePathName );
}

ExFreePoolWithTag( pBuffer, ‘cuL’ );

return STATUS_SUCCESS;
}

Here are some structures from Winternl.h

typedef struct _PEB_LDR_DATA
{
UCHAR Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _RTL_USER_PROCESS_PARAMETERS
{
UCHAR Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB
{
UCHAR Reserved1[2];
UCHAR BeingDebugged;
UCHAR Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
// …
} PEB, *PPEB;

typedef NTSTATUS ( *QUERY_INFO_PROCESS ) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);

OSR_Community_User · December 22, 2008, 4:12am

Yep, you are right Ayush.
I see paging IO sent by System process and RequestorMode is KernelMode.

OSR_Community_User · December 22, 2008, 4:26am

Do you have any idea Razvan?

Ayush_Gupta-2 · December 22, 2008, 4:45am

Your description of the problem is quite vague. You say that ZwQueryInformationProcess is not working. But you did not mention the error code that you are getting.
If your system is crashing, what’s the call stack?

Regards,
Ayush

Lyndon_J_Clarke-2 · December 22, 2008, 6:14am

IIRC Irp->UserBuffer is used in file system only when Irp->MdlAddress is
NULL; otherwise it’s MmGetSystemAddressForMdlSafe(Irp->MdlAddress, …) You
could have a look over FatCommonWrite in Fastfat and also FatMapUserBuffer.

Say if some filter above you does Irp->MdlAddress =
IoAllocateMdl(Irp->UserBuffer, …), and MmProbeAndLockPages(Irp->Mdl, …),
and pends IRP_MJ_WRITE, and queues for processing in a system thread?

wrote in message news:xxxxx@ntfsd…
>I check the Irp->RequestorMode flag in my IRP_MJ_READ dispatch routine. If
>this flag is UserMode, Irp->UserBuffer pointer is valid only in this thread
>context.
> I guess here in dispatch routine is the right place where I can call my
> function to obtain process name. I use this function:
>
>
>
> NTSTATUS GetCurrentProcessImageName( PUNICODE_STRING ProcessImageName )
> {
> NTSTATUS Status;
> ULONG ReturnedLength;
> PVOID pBuffer;
> PROCESS_BASIC_INFORMATION* pBasicInfo;
> PPEB pPeb;
> UNICODE_STRING UnicodeString;
>
>
> if ( NULL == ZwQueryInformationProcess )
> {
> UNICODE_STRING RoutineName;
>
> RtlInitUnicodeString( &RoutineName, L"ZwQueryInformationProcess" );
> ZwQueryInformationProcess = (
> QUERY_INFO_PROCESS )MmGetSystemRoutineAddress( &RoutineName );
> if ( NULL == ZwQueryInformationProcess )
> {
> DbgPrint( “Cannot resolve ZwQueryInformationProcess\n” );
> return STATUS_UNSUCCESSFUL;
> }
> }
>
> pBuffer = ExAllocatePoolWithTag( NonPagedPool, sizeof(
> PROCESS_BASIC_INFORMATION ), ‘cuL’ );
> if ( NULL == pBuffer ) return STATUS_INSUFFICIENT_RESOURCES;
>
> ReturnedLength = 0;
> Status = ZwQueryInformationProcess(
> NtCurrentProcess(),
> ProcessBasicInformation,
> pBuffer,
> sizeof( PROCESS_BASIC_INFORMATION ),
> &ReturnedLength );
>
> if ( STATUS_SUCCESS != Status )
> {
> DbgPrint( “ZwQueryInformationProcess failed\n” );
> ExFreePoolWithTag( pBuffer, ‘cuL’ );
> return STATUS_UNSUCCESSFUL;
> }
>
> pBasicInfo = ( PROCESS_BASIC_INFORMATION* )pBuffer;
> pPeb = pBasicInfo->PebBaseAddress;
> if ( NULL == pPeb )
> {
> if ( pBasicInfo->UniqueProcessId == 4 ) RtlInitUnicodeString(
> &UnicodeString, L"System" );
> else RtlInitUnicodeString( &UnicodeString, L"" );
> RtlCopyUnicodeString( ProcessImageName, &UnicodeString );
> }
> else
> {
> RtlCopyUnicodeString( ProcessImageName,
> &pPeb->ProcessParameters->ImagePathName );
> }
>
> ExFreePoolWithTag( pBuffer, ‘cuL’ );
>
> return STATUS_SUCCESS;
> }
>
>
>
> Here are some structures from Winternl.h
>
> typedef struct _PEB_LDR_DATA
> {
> UCHAR Reserved1[8];
> PVOID Reserved2[3];
> LIST_ENTRY InMemoryOrderModuleList;
> } PEB_LDR_DATA, *PPEB_LDR_DATA;
>
> typedef struct _RTL_USER_PROCESS_PARAMETERS
> {
> UCHAR Reserved1[16];
> PVOID Reserved2[10];
> UNICODE_STRING ImagePathName;
> UNICODE_STRING CommandLine;
> } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
>
> typedef struct _PEB
> {
> UCHAR Reserved1[2];
> UCHAR BeingDebugged;
> UCHAR Reserved2[1];
> PVOID Reserved3[2];
> PPEB_LDR_DATA Ldr;
> PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
> // …
> } PEB, *PPEB;
>
> typedef NTSTATUS ( *QUERY_INFO_PROCESS ) (
> in HANDLE ProcessHandle,
> in PROCESSINFOCLASS ProcessInformationClass,
> __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
>__in ULONG ProcessInformationLength,
> __out_opt PULONG ReturnLength
> );
>
>

Ayush_Gupta-2 · December 22, 2008, 6:19am

>IIRC Irp->UserBuffer is used in file system only when Irp->MdlAddress is

NULL; otherwise it’s MmGetSystemAddressForMdlSafe(Irp->MdlAddress, …)

Yes. Preference should be given to Irp->MdlAddress while trying to get the buffer. And if it is NULL, only then should Irp->UserBuffer be used

OSR_Community_User · December 22, 2008, 7:35am

>IoAllocateMdl(Irp->UserBuffer, …), and MmProbeAndLockPages(Irp->Mdl, …),

and pends IRP_MJ_WRITE, and queues for processing in a system thread

This is what I am doing.
I am checking only RequestorMode and if this is UserMode I am sure that Irp->Mdl is NULL and I should use Irp->UserBuffer. OK, I will check Irp->Mdl for NULL.

Anyway this is not my problem. I just wanted to say that in dispatch routine I am in the right context and I could retrive requestor process name. Let’s say I could call PsGetCurrentProcessId. I also know about IoGetRequestorProcessId.

So my problem is my function posted here ‘GetCurrentProcessImageName’:
The error is Access Violation:

Pointer to PEB structure is 0x7ffd4000

pPeb->ProcessParameters is 0x00020000

pPeb->ProcessParameters->ImagePathName->Buffer is 0x000005c0

0x000005c0 — memory read error at address 0x000005c0 —

As you can see, the correct value of the Buffer pointer would be 0x000205c0
becasue pPeb->ProcessParameters is 0x00020000

Also:
pPeb->ProcessParameters->CommandLine->Buffer is 0x00000628 and should be 0x00020628

You can see there is the correct ImagePathName and CommandLine

kd> db 0x00020000 L1024
00020000 00 10 00 00 40 07 00 00-00 20 00 00 00 00 00 00 …@… …
00020010 fe ff ff ff 00 00 00 00-00 00 00 00 01 00 01 00 …
00020020 00 00 00 00 06 00 08 02-90 02 00 00 00 00 00 00 …
00020030 24 01 26 01 98 04 00 00-66 00 68 00 c0 05 00 00 $.&…f.h…
00020040 88 00 8a 00 28 06 00 00-00 00 01 00 00 00 00 00 …(…
00020050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020060 00 00 00 00 00 00 00 00-01 04 00 00 01 00 00 00 …
00020070 66 00 68 00 b4 06 00 00-1e 00 20 00 1c 07 00 00 f.h… …
00020080 00 00 02 00 3c 07 00 00-00 00 00 00 00 00 00 00 …<…
00020090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000200f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020110 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000201f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020200 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020220 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020290 43 00 3a 00 5c 00 00 00-00 00 00 00 00 00 00 00 C.:..…
000202a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000202b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000202c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000202d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000202e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000202f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020300 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020310 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020320 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020330 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020340 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020350 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020360 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020370 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020380 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020390 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
000203f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020400 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020410 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020420 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020430 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020440 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020450 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020460 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020470 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020480 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020490 00 00 00 00 00 00 00 00-43 00 3a 00 5c 00 50 00 …C.:..P.
000204a0 72 00 6f 00 67 00 72 00-61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F.
000204b0 69 00 6c 00 65 00 73 00-5c 00 57 00 69 00 6e 00 i.l.e.s..W.i.n.
000204c0 64 00 6f 00 77 00 73 00-20 00 4e 00 54 00 5c 00 d.o.w.s. .N.T..
000204d0 41 00 63 00 63 00 65 00-73 00 73 00 6f 00 72 00 A.c.c.e.s.s.o.r.
000204e0 69 00 65 00 73 00 3b 00-43 00 3a 00 5c 00 57 00 i.e.s.;.C.:..W.
000204f0 49 00 4e 00 44 00 4f 00-57 00 53 00 5c 00 73 00 I.N.D.O.W.S..s.
00020500 79 00 73 00 74 00 65 00-6d 00 33 00 32 00 3b 00 y.s.t.e.m.3.2.;.
00020510 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:..W.I.N.D.O.
00020520 57 00 53 00 5c 00 73 00-79 00 73 00 74 00 65 00 W.S..s.y.s.t.e.
00020530 6d 00 3b 00 43 00 3a 00-5c 00 57 00 49 00 4e 00 m.;.C.:..W.I.N.
00020540 44 00 4f 00 57 00 53 00-3b 00 2e 00 3b 00 43 00 D.O.W.S.;…;.C.
00020550 3a 00 5c 00 57 00 49 00-4e 00 44 00 4f 00 57 00 :..W.I.N.D.O.W.
00020560 53 00 5c 00 73 00 79 00-73 00 74 00 65 00 6d 00 S..s.y.s.t.e.m.
00020570 33 00 32 00 3b 00 43 00-3a 00 5c 00 57 00 49 00 3.2.;.C.:..W.I.
00020580 4e 00 44 00 4f 00 57 00-53 00 3b 00 43 00 3a 00 N.D.O.W.S.;.C.:.
00020590 5c 00 57 00 49 00 4e 00-44 00 4f 00 57 00 53 00 .W.I.N.D.O.W.S.
000205a0 5c 00 53 00 79 00 73 00-74 00 65 00 6d 00 33 00 .S.y.s.t.e.m.3.
000205b0 32 00 5c 00 57 00 62 00-65 00 6d 00 00 00 00 00 2..W.b.e.m…
000205c0 43 00 3a 00 5c 00 50 00-72 00 6f 00 67 00 72 00 C.:..P.r.o.g.r.
000205d0 61 00 6d 00 20 00 46 00-69 00 6c 00 65 00 73 00 a.m. .F.i.l.e.s.
000205e0 5c 00 57 00 69 00 6e 00-64 00 6f 00 77 00 73 00 .W.i.n.d.o.w.s.
000205f0 20 00 4e 00 54 00 5c 00-41 00 63 00 63 00 65 00 .N.T..A.c.c.e.
00020600 73 00 73 00 6f 00 72 00-69 00 65 00 73 00 5c 00 s.s.o.r.i.e.s..
00020610 57 00 4f 00 52 00 44 00-50 00 41 00 44 00 2e 00 W.O.R.D.P.A.D…
00020620 45 00 58 00 45 00 00 00-22 00 43 00 3a 00 5c 00 E.X.E…“.C.:..
00020630 50 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00 P.r.o.g.r.a.m. .
00020640 46 00 69 00 6c 00 65 00-73 00 5c 00 57 00 69 00 F.i.l.e.s..W.i.
00020650 6e 00 64 00 6f 00 77 00-73 00 20 00 4e 00 54 00 n.d.o.w.s. .N.T.
00020660 5c 00 41 00 63 00 63 00-65 00 73 00 73 00 6f 00 .A.c.c.e.s.s.o.
00020670 72 00 69 00 65 00 73 00-5c 00 57 00 4f 00 52 00 r.i.e.s..W.O.R.
00020680 44 00 50 00 41 00 44 00-2e 00 45 00 58 00 45 00 D.P.A.D…E.X.E.
00020690 22 00 20 00 20 00 22 00-43 00 3a 00 5c 00 74 00 “. . .”.C.:..t.
000206a0 65 00 73 00 74 00 2e 00-62 00 69 00 6e 00 22 00 e.s.t…b.i.n.”.
000206b0 00 00 00 00 43 00 3a 00-5c 00 50 00 72 00 6f 00 …C.:..P.r.o.
000206c0 67 00 72 00 61 00 6d 00-20 00 46 00 69 00 6c 00 g.r.a.m. .F.i.l.
000206d0 65 00 73 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 e.s..W.i.n.d.o.
000206e0 77 00 73 00 20 00 4e 00-54 00 5c 00 41 00 63 00 w.s. .N.T..A.c.
000206f0 63 00 65 00 73 00 73 00-6f 00 72 00 69 00 65 00 c.e.s.s.o.r.i.e.
00020700 73 00 5c 00 57 00 4f 00-52 00 44 00 50 00 41 00 s..W.O.R.D.P.A.
00020710 44 00 2e 00 45 00 58 00-45 00 00 00 57 00 69 00 D…E.X.E…W.i.
00020720 6e 00 53 00 74 00 61 00-30 00 5c 00 44 00 65 00 n.S.t.a.0..D.e.
00020730 66 00 61 00 75 00 6c 00-74 00 00 00 00 00 00 00 f.a.u.l.t…
00020740 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020760 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020770 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020780 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
00020790 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …

OSR_Community_User · December 22, 2008, 7:42am

ImagePathName: C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
CommandLine: “C:\Program Files\Windows NT\Accessories\WORDPAD.EXE” “C:\test.bin”

I tried to open C:\test.bin using Open With window and selecting Wordpad…
(Windows XP SP2)

Razvan_Hobeanu · December 22, 2008, 1:19pm

You didn’t mention to what purpose you want “to know which process is reading or writing to that file”.

Is it because of security reasons? If so, then you probably know than the path that you can get from the PEB can easily be changed so that it isn’t reliable from a security point of view.

I don’t know what your requirements are, but I would recommend using IoGetRequestorProcess to find out the process which originally requested the given I/O operation.

If you have a “white-list” of processes which are allowed to read/write to the file, you should do that checking inside IRP_MJ_CREATE, not during every read/write. If that process is not allowed to read/write to the file, deny its ability to open the file from the very beginning.

If you insist that you have to do this checking during every read/write (keep in mind the likely performance hit you should be ready to take because of doing this check on every read/write operation), then I would recommend checking the EPROCESS you get from IoGetRequestorProcess against a list of EPROCESSes (your “white-list”) that you build during IRP_MJ_CREATE.

Instead of doing a string comparison during every READ/WRITE, get the full process path inside IRP_MJ_CREATE and decide if you want to put that process on your white-list of EPROCESSes.

Regards,
Razvan

— On Mon, 12/22/08, xxxxx@inocentric.com wrote:

> From: xxxxx@inocentric.com
> Subject: RE:[ntfsd] Please help me with the PEB structure
> To: “Windows File Systems Devs Interest List”
> Date: Monday, December 22, 2008, 11:28 AM
> Do you have any idea Razvan?
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

OSR_Community_User · December 23, 2008, 2:02am

Yes it is about a ?white-list? like you said. This file system filter must encrypt files. I decide if some file must be encrypted in IRP_MJ_CREATE. Encryption is working and now I have to allow or block access to that file. You are right, Create routine is the right place. Things are a little more complicated for me. I will make a white list of EPROCESSes or PIDs or my own structures, but I will populate this list when a process is created (using PsSetCreateProcessNotifyRoutine) not when a file is opened. When a file is opened I will only check my list of processes to see if some process has access to that file.

Thank you all and Merry Christmas everyone!

Ken_Johnson · December 23, 2008, 11:30am

The PEB is user mode writable and must never be used by kernel mode code for the purposes of making a trust decision.

? S

-----Original Message-----
From: xxxxx@inocentric.com
Sent: Tuesday, December 23, 2008 01:02
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Please help me with the PEB structure

Yes it is about a ?white-list? like you said. This file system filter must encrypt files. I decide if some file must be encrypted in IRP_MJ_CREATE. Encryption is working and now I have to allow or block access to that file. You are right, Create routine is the right place. Things are a little more complicated for me. I will make a white list of EPROCESSes or PIDs or my own structures, but I will populate this list when a process is created (using PsSetCreateProcessNotifyRoutine) not when a file is opened. When a file is opened I will only check my list of processes to see if some process has access to that file.

Thank you all and Merry Christmas everyone!

—
NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com