I DONT KNOW WHY THE LIST SERVER IS REEJCTING THE MAILS!@!!!
Dear All,
I am working on this FS filter. As someone pointed out , the calls to the
server component of Lanman bypasses NtCreateFile( ) and friends. I did this
simple experiment.
On a machine I set up kernel debugging, and set a break point on NtCreate
using the following command.
bp ntcreatefile “.echo file; dt _object_attributes poi(esp+0c); g”
This was good enough to give me the filename for NtCreate call in kernel
mode.
Now On the same machine I created a shared folder using windows File
sharing. I also added some files in the folder.
Now from another machine, I accessed these files using \<shared>dir>
I opened a file remotely using notepad.
None of these got recorded in the debugger.
I think this is proof enough that for network shares NtCreate( ) and fiends
are bypassed. Or dis I go for a wild goose chase?
Now, in my current project, I need to generate logs of file IO. I need to
log these requests, and the hooking approach is not recommended, and also
fails when these network reads occur ( the proof was the experiment I did).
But exactly how this happens is unclear to me. I will try to explain.
machine A has a share called \<share><br>
it has the files a.txt, b.txt and c.txt
Machine B accesses the share and reads the files.
Now is it correct to state, that
1. if my driver doesn’t attach itself to LanmanRedirector, and is loaded
Machine B (which reads the share) then I will not get any logs ??
2. On machine A (which has the share) if my driver is loaded, I will get
normal IRPs which an FS expects for file reads?
If the above two are true, can someone take some time and explain as to why
i won’t get NTCreate( ) calls on machine A? Where exactly does the server
component tap the IO manager. if I know correctly, NtCreate( ) and freinds
are implemented in the NtExecutive. Does this mean that the server service
bypasses the executive also?
Please clarify.
Fervently hoping to get a relpy from you…
Regards,
amitr0
–
- amitr0