I was reading this article:
http://www.osronline.com/article.cfm?article=472
At the end it says
“if you decide to use the debug level name, use it for nothing more than debugging since it is not reliable and cannot be relied on for any sort of security check.”
can someone explain how one will change/spoof this name?
It just means you can’t differentiate c:\foo\notepad.exe from
c:\windows\notepad.exe when you only use the 12 character name in the
EPROCESS.
Of course, just because something is named “c:\windows\notepad.exe” doesn’t
mean that its actually notepad (you could replace that executable with
something else), but the full path can be more useful than just the last few
characters.
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntfsd…
I was reading this article:
http://www.osronline.com/article.cfm?article=472
At the end it says
“if you decide to use the debug level name, use it for nothing more than
debugging since it is not reliable and cannot be relied on for any sort of
security check.”
can someone explain how one will change/spoof this name?
Hi Scott, thanks for the reply. I need a bit of clarification.
It just means you can’t differentiate c:\foo\notepad.exe from
c:\windows\notepad.exe when you only use the 12 character name in the
EPROCESS.
That of course is the case.
Of course, just because something is named “c:\windows\notepad.exe” doesn’t
mean that its actually notepad (you could replace that executable with
something else), but the full path can be more useful than just the last few
characters.
I got an expression of “The file name can be spoofed!” from that article. But you say it is the file itself that can be replaced.
I think I had a background that file name can be spoofed from another topic on OSR forum as well before reading that article!!!
Could you please confirm that the file name retrieved is correct?(accepting that the file might not really be what its name implies)
It is correct for some point in time.
Querying for ProcessImageFileName is just a wrapper around
SeLocateProcessImageName. SeLocateProcessImageName queries the file system
to get the name of the executable image and then caches the result (in the
EPROCESS). Subsequent calls to query the name returned the cached value.
This means that if someone renames the executable after the first call to
SeLocateProcessImageName you would get the old name and not the new one. It
is also possible that someone could rename the executable before the first
call to SeLocateProcessImageName, in which case you would get the renamed
name and not the original one.
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntfsd…
Hi Scott, thanks for the reply. I need a bit of clarification.
It just means you can’t differentiate c:\foo\notepad.exe from
c:\windows\notepad.exe when you only use the 12 character name in the
EPROCESS.
That of course is the case.
Of course, just because something is named “c:\windows\notepad.exe”
doesn’t
mean that its actually notepad (you could replace that executable with
something else), but the full path can be more useful than just the last
few
characters.
I got an expression of “The file name can be spoofed!” from that article.
But you say it is the file itself that can be replaced.
I think I had a background that file name can be spoofed from another topic
on OSR forum as well before reading that article!!!
Could you please confirm that the file name retrieved is correct?(accepting
that the file might not really be what its name implies)
Thanks scott,
I am thinking about such design:
having a list of executable files authorized to access some specific files, I want my filter to guarantee the executable list integrity and prevent any unauthorized access of other executables.
I thought I should use a different thread for my new question, so could you please read my question here:
http://www.osronline.com/showthread.cfm?link=278751