Hello,
it seems the field SectionHandle disappeared from EPROCESS
structure in XP. I suppose the handle value was replaced with
PSECTION pointer, wasn’t it? But there were some other changes to
EPROCESS, so I cannot locate the place of this image section
pointer.
Please, help me with offset of this data.
Or pass some other method to determine startup file object of
process image.
Thanks Ondra.
Nov? vyhled?va? pro ?esk? internet www.WebFast.cz - prost? najde …
Hi,
I have just discovered the offset I have mentioned before, so
if somebody is interested in, it’s +138 of EPROCESS and it is
really something similar to “PSECTION ImageSection”.
Ondra.
?ena v centru pozornosti na http://zena.centrum.cz
Why do you need offsets of members of private structures? What do you need to do that cannot be accomplished via published interfaces? Peeking into offsets is not safe, may render your driver incompatible in future versions - as the fields in the unpublished structures can change with every release (including Service Packs).
Please state your real problem & we’ll see if there’s a ‘legal’ way to accomplish it - if not, I’m willing to be convinced that such an interface be published within reason.
Ravi
This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use
-----Original Message-----
From: “Ondrej?evecek” [mailto:xxxxx@centrum.cz]
Sent: Wednesday, April 03, 2002 4:37 AM
To: File Systems Developers
Subject: [ntfsd] Process Image Handle
Hello,
it seems the field SectionHandle disappeared from EPROCESS
structure in XP. I suppose the handle value was replaced with
PSECTION pointer, wasn’t it? But there were some other changes to
EPROCESS, so I cannot locate the place of this image section
pointer.
Please, help me with offset of this data.
Or pass some other method to determine startup file object of
process image.
Thanks Ondra.
Nov? vyhled?va? pro ?esk? internet www.WebFast.cz - prost? najde …
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to %%email.unsub%%
Here’s one example.
— Ravisankar Pudipeddi
wrote:
> Why do you need offsets of members of private
> structures? What do you need to do that cannot be
> accomplished via published interfaces? Peeking into
> offsets is not safe, may render your driver
> incompatible in future versions - as the fields in
> the unpublished structures can change with every
> release (including Service Packs).
>
> Please state your real problem & we’ll see if
> there’s a ‘legal’ way to accomplish it - if not, I’m
> willing to be convinced that such an interface be
> published within reason.
> Ravi
>
> -
> This posting is provided “AS IS” with no warranties,
> and confers no rights. You assume all risk for your
> use
>
> -----Original Message-----
> From: “Ondrej©evecek”
> [mailto:xxxxx@centrum.cz]
> Sent: Wednesday, April 03, 2002 4:37 AM
> To: File Systems Developers
> Subject: [ntfsd] Process Image Handle
>
>
> Hello,
> it seems the field SectionHandle disappeared from
> EPROCESS
> structure in XP. I suppose the handle value was
> replaced with
> PSECTION pointer, wasn’t it? But there were some
> other changes to
> EPROCESS, so I cannot locate the place of this image
> section
> pointer.
> Please, help me with offset of this data.
> Or pass some other method to determine startup
> file object of
> process image.
>
> Thanks Ondra.
>
>
>
> --------------------
> Nový vyhledávaè pro èeský internet www.WebFast.cz -
> prostì najde …
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@windows.microsoft.com To unsubscribe send a
> blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@nryan.com
> To unsubscribe send a blank email to
%%email.unsub%%
=====
- Nicholas Ryan
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
Using the process ID or the image path name is NOT safe. It can be easily spoofed.
Process names & id’s at best can be relied upon for ‘debug’ or informational purposes - but not used for authentication.
A better approach here is to let the trusted process here register with your driver when it starts up.
This way you wouldn’t need to drill down into internal structures, and your product will be secure as well.
The way to do it is:
1.) Create a device object in your driver & make sure it’s well-ACL’ed. Use FILE_DEVICE_DISK_FILE_SYSTEM to get a good default
ACL which disallows read/write by non- system/admin users.
Supply FILE_DEVICE_SECURE_OPEN in the characterestics so that i/o will authenticate opens to this device for you
2.) Create & use a new IOCTL that specififes FILE_READ_DATA/FILE_WRITE_DATA that is used to register the process (do not use FILE_ANY_ACCESS because unprivileged users can open your device using minimal access)
3.) When your driver receives the IOCTL, you get the requestor proces via IoGetRequestorProcess() on the IRP.
This process is now both authenticated by NT, and recognized by your driver.(authenticated because only ADMIN/SYSTEM privileged processes can send the IOCTL to your driver).
This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Wednesday, April 03, 2002 1:54 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Image Handle
Here’s one example.
— Ravisankar Pudipeddi
wrote:
> Why do you need offsets of members of private
> structures? What do you need to do that cannot be accomplished via
> published interfaces? Peeking into offsets is not safe, may render
> your driver incompatible in future versions - as the fields in
> the unpublished structures can change with every
> release (including Service Packs).
>
> Please state your real problem & we’ll see if
> there’s a ‘legal’ way to accomplish it - if not, I’m
> willing to be convinced that such an interface be
> published within reason.
> Ravi
>
> -
> This posting is provided “AS IS” with no warranties,
> and confers no rights. You assume all risk for your
> use
>
> -----Original Message-----
> From: “Ondrej?evecek”
> [mailto:xxxxx@centrum.cz]
> Sent: Wednesday, April 03, 2002 4:37 AM
> To: File Systems Developers
> Subject: [ntfsd] Process Image Handle
>
>
> Hello,
> it seems the field SectionHandle disappeared from
> EPROCESS
> structure in XP. I suppose the handle value was
> replaced with
> PSECTION pointer, wasn’t it? But there were some
> other changes to
> EPROCESS, so I cannot locate the place of this image
> section
> pointer.
> Please, help me with offset of this data.
> Or pass some other method to determine startup
> file object of
> process image.
>
> Thanks Ondra.
>
>
>
> --------------------
> Nov? vyhled?va? pro ?esk? internet www.WebFast.cz -
> prost? najde …
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@nryan.com
> To unsubscribe send a blank email to
%%email.unsub%%
=====
- Nicholas Ryan
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to %%email.unsub%%
> 1. Often it’s convenient to know the full path to a
process given just the process ID or PEPROCESS
pointer. I’m working on a driver where I need to
succeed or fail file opens based on the identity of
the calling process.
A bit strange. The EXE can be renamed.
Max
You can watch for processes to be created and save the pathname of the
executables if you are interested in them. You can see the name of the
program in the process header and by doing a match you will know if it is a
program that interests you. You can open the executable and read the PE
header and validate the checksum, size, & time stamps as desired.
----- Original Message -----
From: “Ravisankar Pudipeddi”
To: “File Systems Developers”
Sent: Wednesday, April 03, 2002 5:37 PM
Subject: [ntfsd] RE: Process Image Handle
Using the process ID or the image path name is NOT safe. It can be easily
spoofed.
Process names & id’s at best can be relied upon for ‘debug’ or informational
purposes - but not used for authentication.
A better approach here is to let the trusted process here register with your
driver when it starts up.
This way you wouldn’t need to drill down into internal structures, and your
product will be secure as well.
The way to do it is:
1.) Create a device object in your driver & make sure it’s well-ACL’ed. Use
FILE_DEVICE_DISK_FILE_SYSTEM to get a good default
ACL which disallows read/write by non- system/admin users.
Supply FILE_DEVICE_SECURE_OPEN in the characterestics so that i/o will
authenticate opens to this device for you
2.) Create & use a new IOCTL that specififes FILE_READ_DATA/FILE_WRITE_DATA
that is used to register the process (do not use FILE_ANY_ACCESS because
unprivileged users can open your device using minimal access)
3.) When your driver receives the IOCTL, you get the requestor proces via
IoGetRequestorProcess() on the IRP.
This process is now both authenticated by NT, and recognized by your
driver.(authenticated because only ADMIN/SYSTEM privileged processes can
send the IOCTL to your driver).
-
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Wednesday, April 03, 2002 1:54 PM
To: File Systems Developers
Subject: [ntfsd] RE: Process Image Handle
Here’s one example.
1. Often it’s convenient to know the full path to a
process given just the process ID or PEPROCESS
pointer. I’m working on a driver where I need to
succeed or fail file opens based on the identity of
the calling process. The full path to the process
executable is an integral part of this identity.
Today, I have to drill my way from _EPROCESS to the
section object to the sement object to the control
area to the file object to the file name in order to
get this information.
— Ravisankar Pudipeddi
wrote:
> Why do you need offsets of members of private
> structures? What do you need to do that cannot be accomplished via
> published interfaces? Peeking into offsets is not safe, may render
> your driver incompatible in future versions - as the fields in
> the unpublished structures can change with every
> release (including Service Packs).
>
> Please state your real problem & we’ll see if
> there’s a ‘legal’ way to accomplish it - if not, I’m
> willing to be convinced that such an interface be
> published within reason.
> Ravi
>
> -
> This posting is provided “AS IS” with no warranties,
> and confers no rights. You assume all risk for your
> use
>
> -----Original Message-----
> From: “Ondrej?evecek”
> [mailto:xxxxx@centrum.cz]
> Sent: Wednesday, April 03, 2002 4:37 AM
> To: File Systems Developers
> Subject: [ntfsd] Process Image Handle
>
>
> Hello,
> it seems the field SectionHandle disappeared from
> EPROCESS
> structure in XP. I suppose the handle value was
> replaced with
> PSECTION pointer, wasn’t it? But there were some
> other changes to
> EPROCESS, so I cannot locate the place of this image
> section
> pointer.
> Please, help me with offset of this data.
> Or pass some other method to determine startup
> file object of
> process image.
>
> Thanks Ondra.
>
>
>
> --------------------
> Nov? vyhled?va? pro ?esk? internet www.WebFast.cz -
> prost? najde …
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@nryan.com
> To unsubscribe send a blank email to
%%email.unsub%%
=====
- Nicholas Ryan
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@yoshimuni.com
To unsubscribe send a blank email to %%email.unsub%%
> 3.) When your driver receives the IOCTL, you get the
requestor proces via IoGetRequestorProcess() on the IRP. This
process is now both authenticated by NT, and recognized by
your driver.(authenticated because only ADMIN/SYSTEM
privileged processes can send the IOCTL to your driver).
How does IoGetRequestorProcess handle impersonation ?
–
Bartjan.
… and isn’t it simplier to let programers get the file object
backing the image section for executable? And is it too dangerous
to let encounter all threads for some process and all active
processes? And is it too dangerous to deny ObGetObjectPointerCount
() even for debug purposes? And why aren’t we allowed to use
APCs, this confortable way of communication, as well as LPC?
I think, ObCreateObject() is exported!!!, so why do not use it
and let others use it - the object namespace is wonderfull and
allows many “authomatic” features such as security!!
THESE are the questions.
Ondra.
Nov? vyhled?va? pro ?esk? internet www.WebFast.cz - prost? najde …
Can you elaborate on the question?
IoGetRequestorProcess() simply returns the EPROCESS pointer of the
process that initiated the i/o.
Ravi
-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Thursday, April 04, 2002 1:08 AM
To: File Systems Developers
Subject: [ntfsd] RE: Process Image Handle
3.) When your driver receives the IOCTL, you get the
requestor proces via IoGetRequestorProcess() on the IRP. This
process is now both authenticated by NT, and recognized by
your driver.(authenticated because only ADMIN/SYSTEM
privileged processes can send the IOCTL to your driver).
How does IoGetRequestorProcess handle impersonation ?
–
Bartjan.
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%
I should have been more explicit about reasons. I
certainly do use the below method for securely
registering my service application with my driver,
because I want to make absolutely sure only MY service
is controlling MY driver. I’m not trying to use the
process pathname for this purpose.
What I do use it for is as one of the inputs to an
algorithm to determine if a given process should be
allowed access to certain files in the context of my
IRP_MJ_CREATE filter. It DOES NOT matter if the user
renames or moves the application, since we have ways
of independently verifying whether a given pathname to
a process is good or not. All I need to know is the
full path to the executable on the filesystem, renamed
or moved or whatever.
— Ravisankar Pudipeddi
wrote:
> Using the process ID or the image path name is NOT
> safe. It can be easily spoofed.
> Process names & id’s at best can be relied upon for
> ‘debug’ or informational purposes - but not used for
> authentication.
> A better approach here is to let the trusted process
> here register with your driver when it starts up.
>
> This way you wouldn’t need to drill down into
> internal structures, and your product will be secure
> as well.
>
> The way to do it is:
>
> 1.) Create a device object in your driver & make
> sure it’s well-ACL’ed. Use
> FILE_DEVICE_DISK_FILE_SYSTEM to get a good default
> ACL which disallows read/write by non- system/admin
> users.
> Supply FILE_DEVICE_SECURE_OPEN in the
> characterestics so that i/o will authenticate opens
> to this device for you
>
> 2.) Create & use a new IOCTL that specififes
> FILE_READ_DATA/FILE_WRITE_DATA that is used to
> register the process (do not use FILE_ANY_ACCESS
> because unprivileged users can open your device
> using minimal access)
>
> 3.) When your driver receives the IOCTL, you get the
> requestor proces via IoGetRequestorProcess() on the
> IRP.
> This process is now both authenticated by NT, and
> recognized by your driver.(authenticated because
> only ADMIN/SYSTEM privileged processes can send the
> IOCTL to your driver).
>
> -
> This posting is provided “AS IS” with no warranties,
> and confers no rights. You assume all risk for your
> use
>
>
> -----Original Message-----
> From: Nicholas Ryan [mailto:xxxxx@nryan.com]
> Sent: Wednesday, April 03, 2002 1:54 PM
> To: File Systems Developers
> Subject: [ntfsd] RE: Process Image Handle
>
>
> Here’s one example.
>
> 1. Often it’s convenient to know the full path to a
> process given just the process ID or PEPROCESS
> pointer. I’m working on a driver where I need to
> succeed or fail file opens based on the identity of
> the calling process. The full path to the process
> executable is an integral part of this identity.
> Today, I have to drill my way from _EPROCESS to the
> section object to the sement object to the control
> area to the file object to the file name in order to
> get this information.
>
> — Ravisankar Pudipeddi
> wrote:
> > Why do you need offsets of members of private
> > structures? What do you need to do that cannot be
> accomplished via
> > published interfaces? Peeking into offsets is not
> safe, may render
> > your driver incompatible in future versions - as
> the fields in
> > the unpublished structures can change with every
> > release (including Service Packs).
> >
> > Please state your real problem & we’ll see if
> > there’s a ‘legal’ way to accomplish it - if not,
> I’m
> > willing to be convinced that such an interface be
> > published within reason.
> > Ravi
> >
> > -
> > This posting is provided “AS IS” with no
> warranties,
> > and confers no rights. You assume all risk for
> your
> > use
> >
> > -----Original Message-----
> > From: “Ondrej©evecek”
> > [mailto:xxxxx@centrum.cz]
> > Sent: Wednesday, April 03, 2002 4:37 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Process Image Handle
> >
> >
> > Hello,
> > it seems the field SectionHandle disappeared
> from
> > EPROCESS
> > structure in XP. I suppose the handle value was
> > replaced with
> > PSECTION pointer, wasn’t it? But there were some
> > other changes to
> > EPROCESS, so I cannot locate the place of this
> image
> > section
> > pointer.
> > Please, help me with offset of this data.
> > Or pass some other method to determine startup
> > file object of
> > process image.
> >
> > Thanks Ondra.
> >
> >
> >
> > --------------------
> > Nový vyhledávaè pro èeský internet www.WebFast.cz
> -
> > prostì najde …
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> xxxxx@windows.microsoft.com
> > To unsubscribe send a blank email to
> %%email.unsub%%
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@nryan.com
> > To unsubscribe send a blank email to
> %%email.unsub%%
>
>
> =====
> - Nicholas Ryan
>
>
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://taxes.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@windows.microsoft.com To unsubscribe send a
> blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@nryan.com
> To unsubscribe send a blank email to
%%email.unsub%%
=====
- Nicholas Ryan
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
Sorry - but this is even more vulnerable.
Using the full path of the process’s original file name to determine whether you can grant access isn’t secure…
What I read from here is that you would let certain processes access to files that they would not have had the priviilege to normally, on the basis of their path.
Ravi
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Thursday, April 04, 2002 10:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: Process Image Handle
I should have been more explicit about reasons. I
certainly do use the below method for securely
registering my service application with my driver,
because I want to make absolutely sure only MY service
is controlling MY driver. I’m not trying to use the
process pathname for this purpose.
What I do use it for is as one of the inputs to an
algorithm to determine if a given process should be
allowed access to certain files in the context of my IRP_MJ_CREATE filter. It DOES NOT matter if the user renames or moves the application, since we have ways of independently verifying whether a given pathname to a process is good or not. All I need to know is the full path to the executable on the filesystem, renamed or moved or whatever.
— Ravisankar Pudipeddi
wrote:
> Using the process ID or the image path name is NOT
> safe. It can be easily spoofed.
> Process names & id’s at best can be relied upon for
> ‘debug’ or informational purposes - but not used for authentication.
> A better approach here is to let the trusted process
> here register with your driver when it starts up.
>
> This way you wouldn’t need to drill down into
> internal structures, and your product will be secure
> as well.
>
> The way to do it is:
>
> 1.) Create a device object in your driver & make
> sure it’s well-ACL’ed. Use
> FILE_DEVICE_DISK_FILE_SYSTEM to get a good default
> ACL which disallows read/write by non- system/admin
> users.
> Supply FILE_DEVICE_SECURE_OPEN in the
> characterestics so that i/o will authenticate opens
> to this device for you
>
> 2.) Create & use a new IOCTL that specififes
> FILE_READ_DATA/FILE_WRITE_DATA that is used to register the process
> (do not use FILE_ANY_ACCESS because unprivileged users can open your
> device using minimal access)
>
> 3.) When your driver receives the IOCTL, you get the requestor proces
> via IoGetRequestorProcess() on the IRP.
> This process is now both authenticated by NT, and
> recognized by your driver.(authenticated because
> only ADMIN/SYSTEM privileged processes can send the
> IOCTL to your driver).
>
> -
> This posting is provided “AS IS” with no warranties,
> and confers no rights. You assume all risk for your
> use
>
>
> -----Original Message-----
> From: Nicholas Ryan [mailto:xxxxx@nryan.com]
> Sent: Wednesday, April 03, 2002 1:54 PM
> To: File Systems Developers
> Subject: [ntfsd] RE: Process Image Handle
>
>
> Here’s one example.
>
> 1. Often it’s convenient to know the full path to a
> process given just the process ID or PEPROCESS
> pointer. I’m working on a driver where I need to
> succeed or fail file opens based on the identity of
> the calling process. The full path to the process
> executable is an integral part of this identity.
> Today, I have to drill my way from _EPROCESS to the
> section object to the sement object to the control
> area to the file object to the file name in order to
> get this information.
>
> — Ravisankar Pudipeddi
> wrote:
> > Why do you need offsets of members of private
> > structures? What do you need to do that cannot be
> accomplished via
> > published interfaces? Peeking into offsets is not
> safe, may render
> > your driver incompatible in future versions - as
> the fields in
> > the unpublished structures can change with every
> > release (including Service Packs).
> >
> > Please state your real problem & we’ll see if
> > there’s a ‘legal’ way to accomplish it - if not,
> I’m
> > willing to be convinced that such an interface be
> > published within reason.
> > Ravi
> >
> > -
> > This posting is provided “AS IS” with no
> warranties,
> > and confers no rights. You assume all risk for
> your
> > use
> >
> > -----Original Message-----
> > From: “Ondrej?evecek”
> > [mailto:xxxxx@centrum.cz]
> > Sent: Wednesday, April 03, 2002 4:37 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Process Image Handle
> >
> >
> > Hello,
> > it seems the field SectionHandle disappeared
> from
> > EPROCESS
> > structure in XP. I suppose the handle value was
> > replaced with
> > PSECTION pointer, wasn’t it? But there were some
> > other changes to
> > EPROCESS, so I cannot locate the place of this
> image
> > section
> > pointer.
> > Please, help me with offset of this data.
> > Or pass some other method to determine startup
> > file object of
> > process image.
> >
> > Thanks Ondra.
> >
> >
> >
> > --------------------
> > Nov? vyhled?va? pro ?esk? internet www.WebFast.cz
> -
> > prost? najde …
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> xxxxx@windows.microsoft.com
> > To unsubscribe send a blank email to
> %%email.unsub%%
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@nryan.com
> > To unsubscribe send a blank email to
> %%email.unsub%%
>
>
> =====
> - Nicholas Ryan
>
>
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://taxes.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@nryan.com
> To unsubscribe send a blank email to
%%email.unsub%%
=====
- Nicholas Ryan
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
—
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to %%email.unsub%%
> How does IoGetRequestorProcess handle impersonation ?
It must not, since impersonation is related to security context and not to process ID.
Use the IO_SECURITY_CONTEXT from the CREATE IRP instead.
Max
I’m not going to go into more detail about this
particular case, but I’ll give an example of a case
from a previous project of mine where I also needed
this information, and had to drill down into
undocumented land to get it:
— Ravisankar Pudipeddi
wrote:
> Sorry - but this is even more vulnerable.
> Using the full path of the process’s original file
> name to determine whether you can grant access isn’t
> secure…
> What I read from here is that you would let certain
> processes access to files that they would not have
> had the priviilege to normally, on the basis of
> their path.
>
> Ravi
>
> -----Original Message-----
> From: Nicholas Ryan [mailto:xxxxx@nryan.com]
> Sent: Thursday, April 04, 2002 10:50 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: Process Image Handle
>
>
> I should have been more explicit about reasons. I
> certainly do use the below method for securely
> registering my service application with my driver,
> because I want to make absolutely sure only MY
> service
> is controlling MY driver. I’m not trying to use the
> process pathname for this purpose.
>
> What I do use it for is as one of the inputs to an
> algorithm to determine if a given process should be
> allowed access to certain files in the context of my
> IRP_MJ_CREATE filter. It DOES NOT matter if the user
> renames or moves the application, since we have ways
> of independently verifying whether a given pathname
> to a process is good or not. All I need to know is
> the full path to the executable on the filesystem,
> renamed or moved or whatever.
>
> — Ravisankar Pudipeddi
> wrote:
> > Using the process ID or the image path name is NOT
> > safe. It can be easily spoofed.
> > Process names & id’s at best can be relied upon
> for
> > ‘debug’ or informational purposes - but not used
> for authentication.
> > A better approach here is to let the trusted
> process
> > here register with your driver when it starts up.
> >
> > This way you wouldn’t need to drill down into
> > internal structures, and your product will be
> secure
> > as well.
> >
> > The way to do it is:
> >
> > 1.) Create a device object in your driver & make
> > sure it’s well-ACL’ed. Use
> > FILE_DEVICE_DISK_FILE_SYSTEM to get a good default
> > ACL which disallows read/write by non-
> system/admin
> > users.
> > Supply FILE_DEVICE_SECURE_OPEN in the
> > characterestics so that i/o will authenticate
> opens
> > to this device for you
> >
> > 2.) Create & use a new IOCTL that specififes
> > FILE_READ_DATA/FILE_WRITE_DATA that is used to
> register the process
> > (do not use FILE_ANY_ACCESS because unprivileged
> users can open your
> > device using minimal access)
> >
> > 3.) When your driver receives the IOCTL, you get
> the requestor proces
> > via IoGetRequestorProcess() on the IRP.
> > This process is now both authenticated by NT, and
> > recognized by your driver.(authenticated because
> > only ADMIN/SYSTEM privileged processes can send
> the
> > IOCTL to your driver).
> >
> > -
> > This posting is provided “AS IS” with no
> warranties,
> > and confers no rights. You assume all risk for
> your
> > use
> >
> >
> > -----Original Message-----
> > From: Nicholas Ryan [mailto:xxxxx@nryan.com]
> > Sent: Wednesday, April 03, 2002 1:54 PM
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Process Image Handle
> >
> >
> > Here’s one example.
> >
> > 1. Often it’s convenient to know the full path to
> a
> > process given just the process ID or PEPROCESS
> > pointer. I’m working on a driver where I need to
> > succeed or fail file opens based on the identity
> of
> > the calling process. The full path to the process
> > executable is an integral part of this identity.
> > Today, I have to drill my way from _EPROCESS to
> the
> > section object to the sement object to the control
> > area to the file object to the file name in order
> to
> > get this information.
> >
> > — Ravisankar Pudipeddi
> > wrote:
> > > Why do you need offsets of members of private
> > > structures? What do you need to do that cannot
> be
> > accomplished via
> > > published interfaces? Peeking into offsets is
> not
> > safe, may render
> > > your driver incompatible in future versions - as
> > the fields in
> > > the unpublished structures can change with every
> > > release (including Service Packs).
> > >
> > > Please state your real problem & we’ll see if
> > > there’s a ‘legal’ way to accomplish it - if not,
> > I’m
> > > willing to be convinced that such an interface
> be
> > > published within reason.
> > > Ravi
> > >
> > > -
> > > This posting is provided “AS IS” with no
> > warranties,
> > > and confers no rights. You assume all risk for
> > your
> > > use
> > >
> > > -----Original Message-----
> > > From: “Ondrej©evecek”
> > > [mailto:xxxxx@centrum.cz]
> > > Sent: Wednesday, April 03, 2002 4:37 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Process Image Handle
> > >
> > >
> > > Hello,
> > > it seems the field SectionHandle disappeared
> > from
> > > EPROCESS
> > > structure in XP. I suppose the handle value was
> > > replaced with
> > > PSECTION pointer, wasn’t it? But there were some
> > > other changes to
> > > EPROCESS, so I cannot locate the place of this
> > image
> > > section
> > > pointer.
> > > Please, help me with offset of this data.
> > > Or pass some other method to determine startup
> > > file object of
> > > process image.
> > >
> > > Thanks Ondra.
> > >
> > >
> > >
> > > --------------------
> > > Nový vyhledávaè pro èeský internet
> www.WebFast.cz
> > -
> > > prostì najde …
> > >
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > xxxxx@windows.microsoft.com
> > > To unsubscribe send a blank email to
> > %%email.unsub%%
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > > xxxxx@nryan.com
> > > To unsubscribe send a blank email to
> > %%email.unsub%%
> >
> >
> > =====
> > - Nicholas Ryan
> >
> >
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
>
=== message truncated ===
=====
- Nicholas Ryan
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/