Detect specific process?

OSR_Community_User · October 20, 2004, 1:46pm

NTFSD Folk:

I have a minifilter driver that does strange and wonderful things to certain
types of files.

However, there is one process (a user-mode service) that I’d like to be
exempt from this processing. I can’t figure out how to detect this process.
I’m sure the info (the ImageName would be sufficient) is in the KEPROCESS
block somewhere, but that’s supposed to be opaque.

Is there any way to obtain detailed process information from the kernel
(primarily in the IRP_MJ_CREATE handler)?

Thanks,
Ken

Don_Burn_1 · October 20, 2004, 2:14pm

First it is dangerous to just use the image name, there little or no
security here. If you own the process have it pass your filter the pid, and
use it. Otherwise, the official way to handle what you are asking for
involves PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine.
You need to build a table to convert pid’s to paths by creating an entry on
process creation, filling it in on image load, and deleting it at process
termination.

There is an undocumented call in XP and later named
PsGetProcessImageFileName that I believe will get you the path.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I have a minifilter driver that does strange and wonderful things to
certain
> types of files.
>
> However, there is one process (a user-mode service) that I’d like to be
> exempt from this processing. I can’t figure out how to detect this
process.
> I’m sure the info (the ImageName would be sufficient) is in the KEPROCESS
> block somewhere, but that’s supposed to be opaque.
>
> Is there any way to obtain detailed process information from the kernel
> (primarily in the IRP_MJ_CREATE handler)?
>
> Thanks,
> Ken
>
>
>

OSR_Community_User · October 20, 2004, 2:29pm

Don:

Yeah, I realize the potential dangers, but if processing is bypassed on some
things it’s no big deal.

I’ve looked into PsSetCreateProcessNotifyRoutine and friends, but they have
some major downsides (get called for *every* process, cannot unload before
system shutdown, only 8 allowed per system, etc.). Plus the driver may get
loaded after the service has started.

PsGetProcessImageFileName looks perfect, but it sure is undocumented (not in
any .h file I can find - even in the Srv03 SP1 DDK).

At least I know I haven’t missed something stupid. I’ll figure out
something.

Thanks very much!

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, October 20, 2004 2:12 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Detect specific process?

First it is dangerous to just use the image name, there little or no
security here. If you own the process have it pass your filter the pid, and
use it. Otherwise, the official way to handle what you are asking for
involves PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine.
You need to build a table to convert pid’s to paths by creating an entry on
process creation, filling it in on image load, and deleting it at process
termination.

There is an undocumented call in XP and later named
PsGetProcessImageFileName that I believe will get you the path.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I have a minifilter driver that does strange and wonderful things to
certain
> types of files.
>
> However, there is one process (a user-mode service) that I’d like to be
> exempt from this processing. I can’t figure out how to detect this
process.
> I’m sure the info (the ImageName would be sufficient) is in the KEPROCESS
> block somewhere, but that’s supposed to be opaque.
>
> Is there any way to obtain detailed process information from the kernel
> (primarily in the IRP_MJ_CREATE handler)?
>
> Thanks,
> Ken
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Don_Burn_1 · October 20, 2004, 2:39pm

Ken,

Maybe we should start begging Microsoft to document
PsGetProcessImageFileName and provide a retrofit to work with 2000. The
data has always been there, they just haven’t provided away to get it out.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Don:
>
> Yeah, I realize the potential dangers, but if processing is bypassed on
some
> things it’s no big deal.
>
> I’ve looked into PsSetCreateProcessNotifyRoutine and friends, but they
have
> some major downsides (get called for every process, cannot unload before
> system shutdown, only 8 allowed per system, etc.). Plus the driver may
get
> loaded after the service has started.
>
> PsGetProcessImageFileName looks perfect, but it sure is undocumented (not
in
> any .h file I can find - even in the Srv03 SP1 DDK).
>
> At least I know I haven’t missed something stupid. I’ll figure out
> something.
>
> Thanks very much!
>
> Ken
>

OSR_Community_User · October 20, 2004, 8:19pm

The name in the EPROCESS is NOT sufficient. This is easily spoofed and
is NOT secure. It is FAR better is for you to create a device object,
put a restrictive ACL on it, and have your service run under an account
with appropriate privileges to access the device object. Then you can
register the process information and allow it to bypass your other
processing.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Wednesday, October 20, 2004 1:45 PM
To: ntfsd redirect
Subject: [ntfsd] Detect specific process?

NTFSD Folk:

I have a minifilter driver that does strange and wonderful things to
certain
types of files.

However, there is one process (a user-mode service) that I’d like to be
exempt from this processing. I can’t figure out how to detect this
process.
I’m sure the info (the ImageName would be sufficient) is in the
KEPROCESS
block somewhere, but that’s supposed to be opaque.

Is there any way to obtain detailed process information from the kernel
(primarily in the IRP_MJ_CREATE handler)?

Thanks,
Ken

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · October 21, 2004, 2:39am

> PsGetProcessImageFileName and provide a retrofit to work with 2000. The

data has always been there, they just haven’t provided away to get it out.

This is true. Every EPROCESS structure has a pointer/handle to the
image section, which has pointer to the CONTROL_AREA,
and then pointer to the file object. Problem is that the
offsets differ in each Windows version.

At least they should allow to return the file object,
the name can be queried by the driver itself.

L.

OSR_Community_User · October 21, 2004, 8:10am

No, EPROCESS has an ANSI filename of the image file somewhere. This
filename does not contain the full path though.

Also note that the file object is not obliged to contain the valid file
name after CREATE path was executed. ->FileName is there only for the duration
of CREATE.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Ladislav Zezula”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, October 21, 2004 10:38 AM
Subject: Re: Re:[ntfsd] Detect specific process?

> > PsGetProcessImageFileName and provide a retrofit to work with 2000. The
> > data has always been there, they just haven’t provided away to get it out.
>
> This is true. Every EPROCESS structure has a pointer/handle to the
> image section, which has pointer to the CONTROL_AREA,
> and then pointer to the file object. Problem is that the
> offsets differ in each Windows version.
>
> At least they should allow to return the file object,
> the name can be queried by the driver itself.
>
> L.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · October 21, 2004, 8:25am

> No, EPROCESS has an ANSI filename of the image file somewhere. This

filename does not contain the full path though.

Yes, this is there to. But there is an image section handle/pointer
too, from which is possible to extract the file object.

Also note that the file object is not obliged to contain the valid file
name after CREATE path was executed. ->FileName is there only for the
duration
of CREATE.

True. But I meant to query the name by call of QueryInformationFile,
not by copying the name from the file object.

L.