RE: [SPAM] Problem with filtering IRP_MJ_CREATE with execute access

You can’t be sure if a file which is being opened with FILE_EXECUTE flag is
really going to be executed.

I use this checking:
bExec = FlagOn( accessMask, FILE_EXECUTE ) && !FlagOn( accessMask,
FILE_WRITE_DATA ) && !FlagOn( accessMask, FILE_READ_EA );

works fine from Win2k+ to WinSrv08
However, when you’re about to execute a 16bit app, FILE_READ_EA is sometimes
used so then I have to check who opens the file (usually it is ntvdm.exe
process).

-pk

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 8. dubna 2009 13:56
To: Windows File Systems Devs Interest List
Subject: [SPAM] [ntfsd] Problem with filtering IRP_MJ_CREATE with execute
access

Hi All,

I am writing a driver tracking the files which are opened with execute
access.
For that I am handling IRP_MJ_CREATE IRP. It is observed that most of the
calls
are made either with Desired Access as FILE_EXECUTE or FILE_GENERIC_EXECUTE
when
a file is being executed.

So I am checking for flag FILE_EXECUTE in IRP_MJ_CREATE IRP ensuring calls
with
FILE_EXECUTE and FILE_GENERIC_EXECUTE both get filtered.

But I have seen one more interesting flag GENERIC_EXECUTE that can be used
for
same purpose.

Now if I check only FILE_EXECUTE flag then it will not filter calls with
GENERIC_EXECUTE as respective values are 0x0020, 0x20000000L.

So questions in my mind are…

  1. Is there a possibility that file will be executed with GENERIC_EXECUTE
    flag set?
  2. Is there a possibility that file will be executed with only
    STANDARD_RIGHTS_EXECUTE
    flag set?
  3. What will be the best check to filter all the IRPs for tracking files
    that are being
    opened with execute access?

Thanks & Regards,
Amit.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer