The Desired access won’t be EQUAL to FILE_EXECUTE, it will contain that
bit. Check out the definitions of the different accesses in the ntifs
header file and you’ll see they are OR’d together.
But yes, you can check for execute access and, if set, then read in the
header of the file. Read up on the PE header layout and you’ll see you
don’t need very much data. Also, perform these IOs as non-cached (don’t
update the file pointer as well) so you don’t trigger other issues.
As for user mode hooking, PG is for kernel components, you can still
patch the import tables for a given user mode process to capture calls
there.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 1/12/2017 10:46:35 AM
Subject: RE:[ntfsd] minifilter - distinguish between exe and dll
>1. If I understand correctly, (this is my first driver writing) on
>postoperation I call:
>status = FltReadFile(Instance, FileObject, &offset, length,
>buffer, FLTFL_IO_OPERATION_NON_CACHED |
>FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &bytesRead, NULL,
>NULL);
>
>After that, I check if it’s FILE_EXECUTE as below:
>if (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
>FILE_EXECUTE)
>{
> ’ this is exe
>}
>But the statement is always false.
>Another thing, if i print DesiredAccess for PE files I get numbers like
>128, 1179785, 1048609… What do they mean?
>
>2. You mentioned user mode hook - I read on many places that hooking on
>64 system doesn’t work since there’s PatchGuard which disallow hooking
>the win32 api so I never tried this method.
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>