Ravi has been trying to post the following note in reply (ah, but it is
being rejected because the list server thinks there’s an attachment to his
original message:
Please don’t rely on the process id for anything. Process id’s are reused
and moreover easily spoofed by non-privileged users. I couldn’t get to the
original question, it’s missing from this thread: but if you wish to
identify the process somehow - you should let the process register with your
driver via an IOCTL sent to a secure device object (i.e a device object on
which there are strong ACLs, and either you do the ACL checks or you let i/o
manager do it via FILE_DEVICE_SECURE_OPEN charecterstic). Set a cancel
routine in the pending IOCTL IRP that will be fired when the process exits
(normal thread i/o cancellation), and you can safely trap the process exit.
Ravi
-----Original Message-----
From: Pavel Hrdina [mailto:xxxxx@compelson.com]
Sent: Tuesday, January 29, 2002 10:22 AM
To: File Systems Developers
Subject: [ntfsd] RE: Proccess context in create
Yes, it can be, but it’s definitely not a simple task.
The routine for obtaining an Id from PEPROCESS
is completely missing, so you should use the following
sequence of code (using? undocumented routines
which is considered better than touching PEPROCESS
structure directly - because it’s change is highly probable).
IoGetRequestorProcess() for obtaining PEPROCESS from PIRP
ObOpenObjectByPointer() for obtaining HANDLE from PEPROCESS
ZwQueryInformationProcess() for obtaining Id from HANDLE
ZwClose() for closing HANDLE
Hope this helps.
Paul
PS: ZwQueryInformationProcess() has the same prototype as
??? NtQueryInformationProcess() present in NT4 NTDDK.H.
??? The needed ProcessInformationClass is ProcessBasicInformation
??? and the corresponding structure is PROCESS_BASIC_INFORMATION.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ratmil
Sent: Monday, January 28, 2002 9:25 PM
To: File Systems Developers
Subject: [ntfsd] RE: Proccess context in create
Can’t IoGetRequestorProcessId be implemented for WNT4?
-----Mensaje original-----
De: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Enviado el: lunes, 28 de enero de 2002 16:14
Para: File Systems Developers
Asunto: [ntfsd] RE: Proccess context in create
??? Speaking of which, is there an equivalent of IoGetRequestorProcessId
for NT? It is not exported on NT4 by NTOSKRNL.EXE:-(
??? Regards, Dejan
Nicholas Ryan wrote:
You should rely on the IoGetRequestorProcess/Id() API to determine the
process responsible for the create, since there’s no guarantee that a
filter higher than you in the stack hasn’t posted the create off to a
worker thread (a very unwise thing to do in my opinion, but
theoretically possible).
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa Registry Monitor - Registry monitoring library for Win32
developers.
Alfa Registry Protector - Registry protection library for Win32
developers.
You are currently subscribed to ntfsd as: ratmil@ec.minbas.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
