It’s probably better to pass the process ID to lusermode, not an actual
handle. Then you can use OpenProcess() to get your handle.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Hinkle
Sent: Thursday, April 27, 2006 10:17 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Reading Network Files From Userspace Service Running as
System
Thanks for the pointers to the impersonate functions. I’ve read
through them all and I think I’ve got a pretty good handle on them…
The impersonation looks pretty straitforward. I just need to call
BOOL ImpersonateLoggedOnUser(HANDLE hToken);
Where hToken is the handle to a security access token. I can
retreive such a handle with:
BOOL OpenProcessToken( HANDLE ProcessHandle, DWORD DesiredAccess, HANDLE
TokenHandle );
or
BOOL OpenThreadToken( HANDLE ThreadHandle, DWORD DesiredAccess, BOOL
OpenAsSelf, PHANDLE TokenHandle );
Which require a HANDLE to a thread or a Process. Does anybody have
any idea how I can get a handle to the security token, process or thread in
my minifilter that I can pass to userspace to accomplish this impersonation?
David
On 4/26/06, Dan Kyler wrote:
>
>
> Win32 lusermode code isn’t my main bailiwick, but you’ll find a bunch
> of stuff in MSDN. Go to the index and search for “impersonate”. I
> would think for your purposes you want ImpersonateLoggedOnUser().
>
> - Dan.
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Hinkle
> Sent: Wednesday, April 26, 2006 2:40 PM
> To: Windows File Systems Devs Interest List
>
> Subject: Re: [ntfsd] Reading Network Files From Userspace Service
Running as System
>
>
>
> Could you give me some suggestions on how I could handle the
impersonation? I don’t even know where to begin. Just some function
names I could go read the manual on would be a great help. I will need
some way of determining what user to impersonate from the filter driver
and some way of impersonating that user from the service. I’ve got no
idea how I could go about using the users network credentials from my
service.
>
> As for having AV on the server, yes absolutly I would hope they do but
if they do not and the client gets infected then my software has failed.
This AV software is a implementation of clamav that I’m targeting to
schools. Mostly I’m worried about cases where users may be sharing
files with each other or with an infected server. I need to be able to
scan these network files or my customers will complain loudly I beleive.
These environments aren’t usually very disciplined.
>
> David
>
>
> On 4/26/06, Dan Kyler wrote:
> >
> >
> > If you want to open the network files from the service running as
system, you’ll need to impersonate appropriately.
> >
> > However, you may want to revisit your requirements–wouldn’t it
work even better to have your product running on the server, where you
won’t have this issue? Depending on all the clients to have antivirus
software doesn’t sound as smart as having AV on the server.
> >
> > - Dan.
> >
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] On Behalf Of David Hinkle
> > Sent: Wednesday, April 26, 2006 12:38 PM
> > To: Windows File Systems Devs Interest List
> > Subject: [ntfsd] Reading Network Files From Userspace Service
Running as System
> >
> > Hello everybody. My anti-virus engine is comming along great, all
local drives are being scanned properly in real time and everything is
working. Currently I intercept all file open calls and send a message
to my userspace service containing the file name for it to scan and it
responds back on wether the file is safe or not to allow to be opened.
Thanks to everybody who helped, especially Dan Kyler who’s method for
determining file names and accessing them from userspace was the most
straitforward to implement.
> >
> > For my next step I want to scan files across network shares. Of
course my userspace service running as system can’t read these files
because it doesn’t have permision… Getting involved in intercepting
buffers and passing them to userspace sounds like a very difficult and
error prone way to go about things… Does anybody have any idea’s
on how I could read these files from my service? Perhaps by imitating
the user from my service? Can I somehow get a user’s security context
in the driver and pass it to my service? Or am I just going to have to
byte the bullet and get involved in directly scanning buffers as they
pass through my filter driver?
> >
> > — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe
send a blank email to xxxxx@lists.osr.com
> > —
> > Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: unknown lmsubst tag
argument: ‘’
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag
> argument: ‘’
>
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
now play