Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 10  
05 Mar 18 00:44
vidhya
xxxxxx@yahoo.co.in
Join Date: 05 Jan 2018
Posts To This List: 7
check authenticity of the process from file system mini filter driver

I am using the IoThreadToProcess call along with other calls like typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process); GET_PROCESS_IMAGE_NAME gGetProcessImageFileName; to get the process name from my file system minifilter driver. This I do to allow access only to my process and block for other unknown process..I am checking the process name for the same. If somebody changes the name of their process with my product's service name then they will be able to access my files.so now I wanted to check the authenticity of the process from my mini filter driver. Is there a way I can know the authenticity of the process from my file system mini filter driver. like check its properties or how to go about this. any help would be very useful vidhya
  Message 2 of 10  
05 Mar 18 00:50
Shaarang Tyagi
xxxxxx@gmail.com
Join Date: 08 Mar 2017
Posts To This List: 3
check authenticity of the process from file system mini filter driver

You can read the legitimate process image (e.g contents of the .exe file) from the disk and calculate a SHA-256 hash and store it somewhere. And then everytime you want to allow\disallow a process do the same and match the hash with the stored one , if it matches then it should be allowed otherwise disallowed. On Mon, Mar 5, 2018 at 11:13 AM, xxxxx@yahoo.co.in < xxxxx@lists.osr.com> wrote: > I am using the IoThreadToProcess call along with other calls like > typedef PCHAR (*GET_PROCESS_IMAGE_NAME) (PEPROCESS Process); > GET_PROCESS_IMAGE_NAME gGetProcessImageFileName; > > to get the process name from my file system minifilter driver. > This I do to allow access only to my process and block for other unknown > process..I am checking the process name for the same. > If somebody changes the name of their process with my product's service > name then they will be able to access my files.so now I wanted to check the > authenticity of the process from my mini filter driver. Is there a way I <...excess quoted lines suppressed...> --
  Message 3 of 10  
06 Mar 18 04:38
Juan Antonio Barrigas
xxxxxx@yahoo.es
Join Date: 21 Mar 2017
Posts To This List: 18
check authenticity of the process from file system mini filter driver

Calculating the SHA-256 for every operation to check who is performing it is not an option. Anyway, process hollowing techniques could be used to fool your driver. I think a better option is to use FltCreateCommunicationPort in the driver and then connect to that port from your user-mode service. You would force just one connection at a time. When your user-mode service connects, the driver saves the connected process's pid and then you can check that value in any minifilter callback without performance loss.
  Message 4 of 10  
07 Mar 18 02:38
vidhya
xxxxxx@yahoo.co.in
Join Date: 05 Jan 2018
Posts To This List: 7
check authenticity of the process from file system mini filter driver

Thanks Shaarang and Antonio for the inputs. Hi Antonio, Regarding FltCreateCommunicationPort, I currently have a port opened in my driver and is connected to one user-mode service. I have forced the max connection to 1 at a time. But I have to allow access to my files from few of my product service, not a single service. atleast 4 to 5 process has to access my files. Rest all I should block. If my understanding is correct once I connect to the driver from user mode service using FilterConnectCommunicationPort, I can pass all my products process IDs thru the port. so the driver will understand that it has got these process IDs from a legitimate process. Once I receive all the process IDs I can check the value of it in all my minifilter callbacks. Is my understanding correct?
  Message 5 of 10  
07 Mar 18 04:03
Juan Antonio Barrigas
xxxxxx@yahoo.es
Join Date: 21 Mar 2017
Posts To This List: 18
check authenticity of the process from file system mini filter driver

Yes, I think this is a way to go. Still, some illegitimate process could try to inject code into your services, but this is a larger topic, something you might want to worry about progressively. Having your services run as protected processes is probably the best option, but it is something I haven't tried myself and I think you need to have a ELAM driver, have all your binaries properly signed, etc...
  Message 6 of 10  
07 Mar 18 04:24
vidhya
xxxxxx@yahoo.co.in
Join Date: 05 Jan 2018
Posts To This List: 7
check authenticity of the process from file system mini filter driver

I think this is a way to go. Still, some illegitimate process could try to inject code into your services, but this is a larger topic, something you might want to worry about progressively. >>Is this what you were talking when you said about process hollowing? Even if I go with the FltCreateCommunicationPort approach I guess hackers can fool my driver with process hollowing technique. Am I right in my understanding? why should I have a ELAM driver? Could you please elaborate on that. My guess first I can target in having my services which access the files as protected by checking on process ID, then I can build on it progressively as suggested.
  Message 7 of 10  
07 Mar 18 07:06
Juan Antonio Barrigas
xxxxxx@yahoo.es
Join Date: 21 Mar 2017
Posts To This List: 18
check authenticity of the process from file system mini filter driver

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
  Message 8 of 10  
13 Mar 18 01:46
vidhya
xxxxxx@yahoo.co.in
Join Date: 05 Jan 2018
Posts To This List: 7
check authenticity of the process from file system mini filter driver

Thanks for the link...I am going thru it. Vidhya
  Message 9 of 10  
13 Mar 18 02:27
vidhya
xxxxxx@yahoo.co.in
Join Date: 05 Jan 2018
Posts To This List: 7
check authenticity of the process from file system mini filter driver

Just a doubt. Address space layout randomization..I have enabled this in all my projects. wont this help from process hollowing?
  Message 10 of 10  
19 Mar 18 12:09
Alex Crane
xxxxxx@jazznetworks.com
Join Date: 19 Mar 2018
Posts To This List: 8
check authenticity of the process from file system mini filter driver

Similar to message #3 I would suggest the user mode service pass a list of accepted PIDs down to your minifilter (FilterSendMesage) and you compare the PIDs - anything else is far too slow. The user mode service can conduct process authenticity checks in userland which should be much easier - you can do something involving SHA hashes, or perhaps binary signing. If you really must do it driver only, look into https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-nt ddk-pssetcreateprocessnotifyroutineex though be careful as PCREATE_PROCESS_NOTIFY_ROUTINE_EX is limited to safe calls. On process start determine if it's one of your processes, and then whitelist the PID.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 17:50.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license