Hey all,
I?m developing a filter driver which validates through hash the execution
all the executable files on the disk. All the base of this feature had been
made and its working. But now I?m with a difficult task which is getting me
crazy. I need to interact with user-mode to know if he want or not to
execute that “unknown file”. I thought that it will be possible implementing
a function that replace the pointer of the executable file contained on Irp
to the application with will interact with the user, with its user context.
The logic is shown below:
- File unknown?
1.1 Yes
1.1.1 We change the pointer of the executable file on Irp to the pointer of
the application which will comunicate with the user.
1.1.2 The request is passed to low-level drivers and returned to the I/O
Manager.
1.1.3 The application is shown to the user
1.1.3.1 He pressed on “yes, I want to execute this file”.
1.1.3.1.1 The application make a comunication through DeviceIoControl() with
the filter, updating some informations
1.1.3.1.2 This application runs the real requested application with
CreateProcess()
1.1.3.1.3 The application is terminated
1.1.3.2 He pressed on “no, I dont want to execute this file”.
1.1.3.2.1 The application is terminated
1.2 No
1.2.1 The request is passed to low-level drivers and returned to the I/O
Manager
Anyone know if it is possible?
New ideas are welcome!
Hugs,
GABRIEL:
I’m confused. Are you trying to replace the image in memory? In particular, what happens when the user says to execute an image (1.1.3.1.2)? I don’t care why you are doing it; that is, I have no security ax to grind, so you needn’t worry about that, but I need to know whether you are:
(1) Modifying the image
(2) Replacing it
(3) Spawning an entirely different one
(3.1) From the kernel
(3.2) From user land, via the kernel
(4) Something altogether different
Unless (4) is the case, probably the basic answer is that it is possible, but quite difficult.
MM
>> xxxxx@gmail.com 2006-05-04 13:15 >>>
Hey all,
I?m developing a filter driver which validates through hash the execution
all the executable files on the disk. All the base of this feature had been
made and its working. But now I?m with a difficult task which is getting me
crazy. I need to interact with user-mode to know if he want or not to
execute that “unknown file”. I thought that it will be possible implementing
a function that replace the pointer of the executable file contained on Irp
to the application with will interact with the user, with its user context.
The logic is shown below:
- File unknown?
1.1 Yes
1.1.1 We change the pointer of the executable file on Irp to the pointer of
the application which will comunicate with the user.
1.1.2 The request is passed to low-level drivers and returned to the I/O
Manager.
1.1.3 The application is shown to the user
1.1.3.1 He pressed on “yes, I want to execute this file”.
1.1.3.1.1 The application make a comunication through DeviceIoControl() with
the filter, updating some informations
1.1.3.1.2 This application runs the real requested application with
CreateProcess()
1.1.3.1.3 The application is terminated
1.1.3.2 He pressed on “no, I dont want to execute this file”.
1.1.3.2.1 The application is terminated
1.2 No
1.2.1 The request is passed to low-level drivers and returned to the I/O
Manager
Anyone know if it is possible?
New ideas are welcome!
Hugs,
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com