check authenticity of the process from file system mini filter driver

I am using the IoThreadToProcess call along with other calls like
typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process);
GET_PROCESS_IMAGE_NAME gGetProcessImageFileName;

to get the process name from my file system minifilter driver.
This I do to allow access only to my process and block for other unknown process…I am checking the process name for the same.
If somebody changes the name of their process with my product’s service name then they will be able to access my files.so now I wanted to check the authenticity of the process from my mini filter driver. Is there a way I can know the authenticity of the process from my file system mini filter driver.
like check its properties or how to go about this.
any help would be very useful

vidhya

You can read the legitimate process image (e.g contents of the .exe file)
from the disk and calculate a SHA-256 hash and store it somewhere.
And then everytime you want to allow\disallow a process do the same and
match the hash with the stored one , if it matches then it should be
allowed otherwise disallowed.

On Mon, Mar 5, 2018 at 11:13 AM, xxxxx@yahoo.co.in <
xxxxx@lists.osr.com> wrote:

I am using the IoThreadToProcess call along with other calls like
typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process);
GET_PROCESS_IMAGE_NAME gGetProcessImageFileName;

to get the process name from my file system minifilter driver.
This I do to allow access only to my process and block for other unknown
process…I am checking the process name for the same.
If somebody changes the name of their process with my product’s service
name then they will be able to access my files.so now I wanted to check the
authenticity of the process from my mini filter driver. Is there a way I
can know the authenticity of the process from my file system mini filter
driver.
like check its properties or how to go about this.
any help would be very useful

vidhya


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Calculating the SHA-256 for every operation to check who is performing it is not an option. Anyway, process hollowing techniques could be used to fool your driver.

I think a better option is to use FltCreateCommunicationPort in the driver and then connect to that port from your user-mode service. You would force just one connection at a time. When your user-mode service connects, the driver saves the connected process’s pid and then you can check that value in any minifilter callback without performance loss.

Thanks Shaarang and Antonio for the inputs.

Hi Antonio,

Regarding FltCreateCommunicationPort, I currently have a port opened in my driver and is connected to one user-mode service. I have forced the max connection to 1 at a time. But I have to allow access to my files from few of my product service, not a single service.
atleast 4 to 5 process has to access my files. Rest all I should block.

If my understanding is correct once I connect to the driver from user mode service using FilterConnectCommunicationPort, I can pass all my products process IDs thru the port. so the driver will understand that it has got these process IDs from a legitimate process.
Once I receive all the process IDs I can check the value of it in all my minifilter callbacks.

Is my understanding correct?

Yes, I think this is a way to go. Still, some illegitimate process could try to inject code into your services, but this is a larger topic, something you might want to worry about progressively. Having your services run as protected processes is probably the best option, but it is something I haven’t tried myself and I think you need to have a ELAM driver, have all your binaries properly signed, etc…

I think this is a way to go. Still, some illegitimate process could try to
inject code into your services, but this is a larger topic, something you might
want to worry about progressively.

>Is this what you were talking when you said about process hollowing? Even if I go with the FltCreateCommunicationPort approach I guess hackers can fool my driver with process hollowing technique. Am I right in my understanding?

why should I have a ELAM driver? Could you please elaborate on that.

My guess first I can target in having my services which access the files as protected by checking on process ID, then I can build on it progressively as suggested.

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx

Thanks for the link…I am going thru it.

Vidhya

Just a doubt.
Address space layout randomization…I have enabled this in all my projects.
wont this help from process hollowing?

Similar to message #3 I would suggest the user mode service pass a list of accepted PIDs down to your minifilter (FilterSendMesage) and you compare the PIDs - anything else is far too slow. The user mode service can conduct process authenticity checks in userland which should be much easier - you can do something involving SHA hashes, or perhaps binary signing.

If you really must do it driver only, look into https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex though be careful as PCREATE_PROCESS_NOTIFY_ROUTINE_EX is limited to safe calls. On process start determine if it’s one of your processes, and then whitelist the PID.