Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

On-Access, Transparent, Per-File Data Encryption:

OSR's File Encryption Solution Framework (FESF) provides all the infrastructure you need to build a transparent file encryption product REALLY FAST.

Super flexible policy determination and customization, all done in user-mode. Extensive starter/sample code provided.

Proven, robust, flexible. In use in multiple commercial products.

Currently available on Windows. FESF for Linux will ship in 2018.

For more info: https://www.osr.com/fesf

Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
11 Jan 17 12:05
Matt
xxxxxx@gmail.com
Join Date: 24 Dec 2016
Posts To This List: 21
minifilter - distinguish between exe and dll

I'm working with the file system mini filter - scanner sample. I'm quite new to this. In general: I'm suppose to block I/O request files by their magic number. The problem is, EXE and DLL magic number is the same. Once I block them, computer is no longer able to do nothing since any operations requires calling DLL or EXE. This method works fine with all other files like PDF,JPG etc... So I got 2 questions: 1. How can I distinguish between EXE and DLL when trying to block only EXE? I've tried Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess but EXE and DLL got same desiredAccess. 2. When I want to block EXE I want to block opening EXE only. By that I mean, when user opens firefox.exe it suppose to block access, since the file which was opend is EXE. But when opening text.txt it suppose to let it open since notepad.exe was not called directly by user and it was TXT. I didn't find any way to implement this yet. Thanks for help!
  Message 2 of 4  
12 Jan 17 04:32
Slava Imameev
xxxxxx@hotmail.com
Join Date: 13 Sep 2013
Posts To This List: 253
minifilter - distinguish between exe and dll

1. Read the file's PE header in a postoperation callback for a create request with FltReadFile if the FILE_EXECUTE right has been requested OR do this in a preoperation callback by opening a file with FltCreateFile and then calling FltReadFile. 2. This architecture doesn't make sense and hardly can be implemented correctly in the kernel mode. Though there is an alternative with some user mode hook tricks.
  Message 3 of 4  
12 Jan 17 10:42
Peter Scott
xxxxxx@kerneldrivers.com
Join Date: 17 Feb 2012
Posts To This List: 669
minifilter - distinguish between exe and dll

The most straight forward approach would be to scan the PE header and=20 make a decision based on this. You can do this in either the pre/post=20 create processing or in the image load call back. I have implemented=20 similar types of processing by combining the 2 methods to minimize the=20 processing on reading headers, etc. Pete -- Kernel Drivers Windows File System and Device Driver Consulting www.KernelDrivers.com 866.263.9295 ------ Original Message ------ From: xxxxx@gmail.com To: "Windows File Systems Devs Interest List" <xxxxx@lists.osr.com> Sent: 1/11/2017 10:03:39 AM Subject: [ntfsd] minifilter - distinguish between exe and dll >I'm working with the file system mini filter - scanner sample. I'm=20 >quite new to this. > >In general: >I'm suppose to block I/O request files by their magic number. >The problem is, EXE and DLL magic number is the same. >Once I block them, computer is no longer able to do nothing since any=20 >operations requires calling DLL or EXE. > >This method works fine with all other files like PDF,JPG etc... <...excess quoted lines suppressed...> =20 >but EXE and DLL got same desiredAccess. >2. When I want to block EXE I want to block opening EXE only. By that I= =20 >mean, when user opens firefox.exe it suppose to block access, since the= =20 >file which was opend is EXE. But when opening text.txt it suppose to=20 >let it open since notepad.exe was not called directly by user and it=20 >was TXT. I didn't find any way to implement this yet. > >Thanks for help! > >--- >NTFSD is sponsored by OSR > >
  Message 4 of 4  
12 Jan 17 12:48
Matt
xxxxxx@gmail.com
Join Date: 24 Dec 2016
Posts To This List: 21
minifilter - distinguish between exe and dll

1. If I understand correctly, (this is my first driver writing) on postoperation I call: status = FltReadFile(Instance, FileObject, &offset, length, buffer, FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &bytesRead, NULL, NULL); After that, I check if it's FILE_EXECUTE as below: if (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_EXECUTE) { ' this is exe } But the statement is always false. Another thing, if i print DesiredAccess for PE files I get numbers like 128, 1179785, 1048609... What do they mean? 2. You mentioned user mode hook - I read on many places that hooking on 64 system doesn't work since there's PatchGuard which disallow hooking the win32 api so I never tried this method.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 02:39.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license