Re[2]: minifilter - distinguish between exe and dll

Peter_Scott · January 12, 2017, 2:49pm

The Desired access won’t be EQUAL to FILE_EXECUTE, it will contain that
bit. Check out the definitions of the different accesses in the ntifs
header file and you’ll see they are OR’d together.

But yes, you can check for execute access and, if set, then read in the
header of the file. Read up on the PE header layout and you’ll see you
don’t need very much data. Also, perform these IOs as non-cached (don’t
update the file pointer as well) so you don’t trigger other issues.

As for user mode hooking, PG is for kernel components, you can still
patch the import tables for a given user mode process to capture calls
there.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 1/12/2017 10:46:35 AM
Subject: RE:[ntfsd] minifilter - distinguish between exe and dll

>1. If I understand correctly, (this is my first driver writing) on
>postoperation I call:
>status = FltReadFile(Instance, FileObject, &offset, length,
>buffer, FLTFL_IO_OPERATION_NON_CACHED |
>FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &bytesRead, NULL,
>NULL);
>
>After that, I check if it’s FILE_EXECUTE as below:
>if (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
>FILE_EXECUTE)
>{
> ’ this is exe
>}
>But the statement is always false.
>Another thing, if i print DesiredAccess for PE files I get numbers like
>128, 1179785, 1048609… What do they mean?
>
>2. You mentioned user mode hook - I read on many places that hooking on
>64 system doesn’t work since there’s PatchGuard which disallow hooking
>the win32 api so I never tried this method.
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

MBond · January 12, 2017, 6:05pm

You have very bad requirements. Executing an application with a parameter according to the default file associations stored in the registry is indistinguishable in KM from executing an application with or without parameters using any other method ? they all devolve into CreateProcess and its guts.

About the best analog of your you are suggesting is to create a whitelist of allowed applications (exe files) that can be executed. Make sure to check at least the full path if not the authnticode information from the pe to prevent trivial circumvention of your security measure

Sent from Mailhttps: for Windows 10

From: xxxxx@hotmail.com mailto:xxxxx
Sent: January 12, 2017 4:31 AM
To: Windows File Systems Devs Interest Listmailto:xxxxx
Subject: RE:[ntfsd] minifilter - distinguish between exe and dll

1. Read the file’s PE header in a postoperation callback for a create request with FltReadFile if the FILE_EXECUTE right has been requested OR do this in a preoperation callback by opening a file with FltCreateFile and then calling FltReadFile.

2. This architecture doesn’t make sense and hardly can be implemented correctly in the kernel mode. Though there is an alternative with some user mode hook tricks.

—
NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

Slava_Imameev · January 12, 2017, 8:06pm

Should have been
if (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_EXECUTE)

Also, FLTFL_IO_OPERATION_NON_CACHED requires a buffer aligned on a sector boundary with size an integer multiple of a sector size.

PatchGuard “protects” only the kernel mode address space.