Jamey is right in his idea that IRP_MJ_CREATE is called in
the context of the process. We have a TDI filter and that
is how we get the process id and thread id.
-Jeff
-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, January 03, 2003 5:27 AM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv
There are several ways you may be able to do this. I have never done it,
but here are my thoughts:
- Filter AFD.SYS
- Filter TDI (TCPIP.SYS)
I am not 100% sure, but I would suspect that the IRP_MJ_CREATE call is
called (in both drivers) in the context of the calling process (if the
requestor mode is user mode).
If this is the case, you can track all the create requests for that
process. Subsequently, in other calls, you can check to see if the file
object is owned by the process in question. This is just my initial
thoughts.
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Girish Kulkarni
(kulkis)
Sent: Friday, January 03, 2003 12:56 AM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv
I don’t know if this is a good answer to your query, but do take a look
at the LSP sample.
You might want to do something in the user mode itself than doing it in
the kernel.
the path is … \SDK\samples\netds\WinSock\LSP
-G
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jos? Vicente
S?nchez Ortega
Sent: Friday, January 03, 2003 2:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv
Gedon:
Than you very much for your answer. I’m interested on knowing the
process that which make a connect or send a packet in order to allow or
denny it. We would like to do some stuff regarding this based on the
application. Best regards,
Jose Vicente.
-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Rosner, Gedon
Enviado el: viernes, 03 de enero de 2003 2:33
Para: NT Developers Interest List
Asunto: [ntdev] RE: How to get the PID of the process that send a packet
using IpFltDrv
Jose,
I don’t know the answer to your specific question (actually I’m
interested in the answer myself) but for tcpip packets perhaps you can
use the ip_address+ tcp/udp port number for tracking flows. That won’t
give you too much information regarding the application process id but
might be helpful. Regards, Gedon.
-----Original Message-----
From: Jos? Vicente S?nchez Ortega [mailto:xxxxx@secuware.com]
Sent: Thursday, January 02, 2003 9:54 PM
To: NT Developers Interest List
Subject: [ntdev] How to get the PID of the process that send a packet
using IpFltDrv
I think this topic was asked before but now I don’t find the answers. I
have made a driver that registers itself with IpFltDrv.sys in order to
filter IP traffic and I would need to know, for a given packet, the PID
of the process that sent the packet. Is it possible? Does anybody know
how to acomplish this feature? Does anybody know another method in order
to stablish a relationship bewteen an IP packet emitted by a machine (or
a connection
action) and the process from wich it proceed?
Thanks in advance.
Jose Vicente.
You are currently subscribed to ntdev as: xxxxx@intel.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@secuware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************