[-] Problem with Process creation completion

Hi All,

How to get around this problem. I am having TDI Filter driver attached to \Device\Tcp. I have added PsSetCreateProcessNotifyRoutine and here I monitor Process creation and deletion. When process is created I fire event to communicate with user mode application.
I found no way to resolve process name from given process id. So User mode application serves to
to validate whether particular application has authorised to access particular port. User mode application fires Device Ioctl and gets Process id from filter driver. It then enumerates all process, finds out process name and checks whether application is in specified list. If found in list, it then fires another ioctl to send this pid to driver.

On windows 2000, I found by the time application gets pid for resolving process name process is already created. But in case of Windows XP profession SP2, and Windows 2003 server after reboot when particular application is started, by the time I start enumerating process it is not in list and hence my assumptions break. Here I have added some sleep in user mode application before enumerating process and this has temporary delayed the problem. But what is proper method for the same. How I can come to know the information about the particular process and it is creation is completed ?

I hope my problem description is clear and you can throw some light on the same.

Cheers!
Rajesh

I’m surprised this even works on 2000 (it has failed for me in the past) you
get called for process creation notification when the kernel process block
is created which is way before any user space code is loaded. What you need
to do is use PsSetLoadImageNotifyRoutine to get the application name for a
given PID. The first call to a load image notify callback for a given PID
is the executable file. Note, even the load of the executable is not the
end of process creation, but it is a stable point for most things.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Rajesh Nikam” wrote in message
news:xxxxx@ntdev…
Hi All,

How to get around this problem. I am having TDI Filter driver attached to
\Device\Tcp. I have added PsSetCreateProcessNotifyRoutine and here I
monitor Process creation and deletion. When process is created I fire event
to communicate with user mode application.
I found no way to resolve process name from given process id. So User mode
application serves to
to validate whether particular application has authorised to access
particular port. User mode application fires Device Ioctl and gets Process
id from filter driver. It then enumerates all process, finds out process
name and checks whether application is in specified list. If found in list,
it then fires another ioctl to send this pid to driver.

On windows 2000, I found by the time application gets pid for resolving
process name process is already created. But in case of Windows XP
profession SP2, and Windows 2003 server after reboot when particular
application is started, by the time I start enumerating process it is not in
list and hence my assumptions break. Here I have added some sleep in user
mode application before enumerating process and this has temporary delayed
the problem. But what is proper method for the same. How I can come to know
the information about the particular process and it is creation is completed
?

I hope my problem description is clear and you can throw some light on the
same.

Cheers!
Rajesh

>I found no way to resolve process name from given process id. So User mode
application

serves to
to validate whether particular application has authorised to access particular
port.

I would do this authorization in kernel mode.

User mode application fires Device Ioctl and gets Process id from filter
driver. It then
enumerates all process

For what? The hackery way of finding the process name is known since old code
by Mark Russinovich.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Thanks for reply !!!

It is working on 2K may be delay involved in communication is sufficient to load the process.
I will look into the PsSetLoadImageNotifyRoutine and it will help me get process name.

But on osr discussion list back dated to 2000 where Don Burn, you have comment like PsSetLoadImageNotifyRoutine is not supported in Win NT.

Yes, I do require to support my driver on both Win NT and above systems.

Waiting for your valuable comments

Cheers~
Rajesh Nikam

======== Here is part of discussion ==========

Subject: Re: Detecting process start/termination from DD
From: “Don Burn”
Date: Thu, 10 Aug 2000 07:38:08 -0400

Detecting process start/termination from DDVladimir,

I have not used PsSetLoadImageNotifyRoutine, since it was not
available for NT4, and my work in this area required compatibility with
both system. I used the process ID, then in user space called
OpenProcess, EnumProcessModules, GetModuleFileNameEx to
get the full path. The restriction here is that at the time of the call to
the process creation notify routine, these calls may not have enough
context to return the correct values.

Given the your statement of the problem, I would consider using
a lookup of the process in a table in your driver, if the process id does
not exist in the table, trigger a user mode service to get the full path
for you, then determine if this is a special. Use the
PsSetCreateProcessNotifyRoutine to delete data structures no longer
needed due to process termination.

Don Burn
NT Device Driver Consultant

“Don Burn” wrote in message news:MC8-F33dZUZzZPOY2ou00072c68@mc8-f33.hotmail.com
> I’m surprised this even works on 2000 (it has failed for me in the past) you
> get called for process creation notification when the kernel process block
> is created which is way before any user space code is loaded. What you need
> to do is use PsSetLoadImageNotifyRoutine to get the application name for a
> given PID. The first call to a load image notify callback for a given PID
> is the executable file. Note, even the load of the executable is not the
> end of process creation, but it is a stable point for most things.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Rajesh Nikam” wrote in message
> news:xxxxx@ntdev…
> Hi All,
>
> How to get around this problem. I am having TDI Filter driver attached to
> \Device\Tcp. I have added PsSetCreateProcessNotifyRoutine and here I
> monitor Process creation and deletion. When process is created I fire event
> to communicate with user mode application.
> I found no way to resolve process name from given process id. So User mode
> application serves to
> to validate whether particular application has authorised to access
> particular port. User mode application fires Device Ioctl and gets Process
> id from filter driver. It then enumerates all process, finds out process
> name and checks whether application is in specified list. If found in list,
> it then fires another ioctl to send this pid to driver.
>
> On windows 2000, I found by the time application gets pid for resolving
> process name process is already created. But in case of Windows XP
> profession SP2, and Windows 2003 server after reboot when particular
> application is started, by the time I start enumerating process it is not in
> list and hence my assumptions break. Here I have added some sleep in user
> mode application before enumerating process and this has temporary delayed
> the problem. But what is proper method for the same. How I can come to know
> the information about the particular process and it is creation is completed
> ?
>
> I hope my problem description is clear and you can throw some light on the
> same.
>
> Cheers!
> Rajesh
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@hotmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

I guesss I have to ask why a new piece of work would support an OS no longer
supported by Microsoft? There is no clean way to do determine the process
path for NT. I was doing work for a paranoid security firm where we hooked
the whole system call table, so I triggered on the first call from the
process. This is not advisable for many reasons (see the many discussions
on why hooking is bad, and then throw in all the special cases for hooking
all the calls).


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Rajesh Nikam” wrote in message
news:xxxxx@ntdev…
> Thanks for reply !!!
>
> It is working on 2K may be delay involved in communication is sufficient
to load the process.
> I will look into the PsSetLoadImageNotifyRoutine and it will help me get
process name.
>
> But on osr discussion list back dated to 2000 where Don Burn, you have
comment like PsSetLoadImageNotifyRoutine is not supported in Win NT.
>
> Yes, I do require to support my driver on both Win NT and above systems.
>
> Waiting for your valuable comments
>
> Cheers~
> Rajesh Nikam
>
> ======== Here is part of discussion ==========
>
> Subject: Re: Detecting process start/termination from DD
> From: “Don Burn”
> Date: Thu, 10 Aug 2000 07:38:08 -0400
>
> Detecting process start/termination from DDVladimir,
>
> I have not used PsSetLoadImageNotifyRoutine, since it was not
> available for NT4, and my work in this area required compatibility with
> both system. I used the process ID, then in user space called
> OpenProcess, EnumProcessModules, GetModuleFileNameEx to
> get the full path. The restriction here is that at the time of the call
to
> the process creation notify routine, these calls may not have enough
> context to return the correct values.
>
> Given the your statement of the problem, I would consider using
> a lookup of the process in a table in your driver, if the process id does
> not exist in the table, trigger a user mode service to get the full path
> for you, then determine if this is a special. Use the
> PsSetCreateProcessNotifyRoutine to delete data structures no longer
> needed due to process termination.
>
> Don Burn
> NT Device Driver Consultant
>
>
> “Don Burn” wrote in message
news:MC8-F33dZUZzZPOY2ou00072c68@mc8-f33.hotmail.com
> > I’m surprised this even works on 2000 (it has failed for me in the past)
you
> > get called for process creation notification when the kernel process
block
> > is created which is way before any user space code is loaded. What you
need
> > to do is use PsSetLoadImageNotifyRoutine to get the application name for
a
> > given PID. The first call to a load image notify callback for a given
PID
> > is the executable file. Note, even the load of the executable is not
the
> > end of process creation, but it is a stable point for most things.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> > “Rajesh Nikam” wrote in message
> > news:xxxxx@ntdev…
> > Hi All,
> >
> > How to get around this problem. I am having TDI Filter driver attached
to
> > \Device\Tcp. I have added PsSetCreateProcessNotifyRoutine and here I
> > monitor Process creation and deletion. When process is created I fire
event
> > to communicate with user mode application.
> > I found no way to resolve process name from given process id. So User
mode
> > application serves to
> > to validate whether particular application has authorised to access
> > particular port. User mode application fires Device Ioctl and gets
Process
> > id from filter driver. It then enumerates all process, finds out process
> > name and checks whether application is in specified list. If found in
list,
> > it then fires another ioctl to send this pid to driver.
> >
> > On windows 2000, I found by the time application gets pid for resolving
> > process name process is already created. But in case of Windows XP
> > profession SP2, and Windows 2003 server after reboot when particular
> > application is started, by the time I start enumerating process it is
not in
> > list and hence my assumptions break. Here I have added some sleep in
user
> > mode application before enumerating process and this has temporary
delayed
> > the problem. But what is proper method for the same. How I can come to
know
> > the information about the particular process and it is creation is
completed
> > ?
> >
> > I hope my problem description is clear and you can throw some light on
the
> > same.
> >
> > Cheers!
> > Rajesh
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@hotmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >