I’m working with the file system mini filter - scanner sample. I’m quite new to this.
In general:
I’m suppose to block I/O request files by their magic number.
The problem is, EXE and DLL magic number is the same.
Once I block them, computer is no longer able to do nothing since any operations requires calling DLL or EXE.
This method works fine with all other files like PDF,JPG etc…
So I got 2 questions:
How can I distinguish between EXE and DLL when trying to block only EXE?
I’ve tried Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess but EXE and DLL got same desiredAccess.
When I want to block EXE I want to block opening EXE only. By that I mean, when user opens firefox.exe it suppose to block access, since the file which was opend is EXE. But when opening text.txt it suppose to let it open since notepad.exe was not called directly by user and it was TXT. I didn’t find any way to implement this yet.
Read the file’s PE header in a postoperation callback for a create request with FltReadFile if the FILE_EXECUTE right has been requested OR do this in a preoperation callback by opening a file with FltCreateFile and then calling FltReadFile.
This architecture doesn’t make sense and hardly can be implemented correctly in the kernel mode. Though there is an alternative with some user mode hook tricks.
The most straight forward approach would be to scan the PE header and
make a decision based on this. You can do this in either the pre/post
create processing or in the image load call back. I have implemented
similar types of processing by combining the 2 methods to minimize the
processing on reading headers, etc.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List” Sent: 1/11/2017 10:03:39 AM Subject: [ntfsd] minifilter - distinguish between exe and dll
>I’m working with the file system mini filter - scanner sample. I’m >quite new to this. > >In general: >I’m suppose to block I/O request files by their magic number. >The problem is, EXE and DLL magic number is the same. >Once I block them, computer is no longer able to do nothing since any >operations requires calling DLL or EXE. > >This method works fine with all other files like PDF,JPG etc… > >So I got 2 questions: >1. How can I distinguish between EXE and DLL when trying to block only >EXE? >I’ve tried Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess >but EXE and DLL got same desiredAccess. >2. When I want to block EXE I want to block opening EXE only. By that I >mean, when user opens firefox.exe it suppose to block access, since the >file which was opend is EXE. But when opening text.txt it suppose to >let it open since notepad.exe was not called directly by user and it >was TXT. I didn’t find any way to implement this yet. > >Thanks for help! > >— >NTFSD is sponsored by OSR > > >MONTHLY seminars on crash dump analysis, WDF, Windows internals and >software drivers! >Details at http: > >To unsubscribe, visit the List Server section of OSR Online at >http:</http:></http:>
If I understand correctly, (this is my first driver writing) on postoperation I call:
status = FltReadFile(Instance, FileObject, &offset, length, buffer, FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &bytesRead, NULL, NULL);
After that, I check if it’s FILE_EXECUTE as below:
if (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_EXECUTE)
{
’ this is exe
}
But the statement is always false.
Another thing, if i print DesiredAccess for PE files I get numbers like 128, 1179785, 1048609… What do they mean?
You mentioned user mode hook - I read on many places that hooking on 64 system doesn’t work since there’s PatchGuard which disallow hooking the win32 api so I never tried this method.