How to determine if a file is being executed?

David_Hinkle1 · October 22, 2008, 12:38pm

I hope this isn’t a repost, I seem to be having some issues with the forums. If it is, sorry, and please reply to the original post.

My minifilter needs to detect file execution. It works pretty good, but I’ve run into a seriouse problem… When a user browses a directory with explorer all the exe and dll files are detected as executions… I assume because explorer is opening them with EXEC permissions when it reads their icons.

I am trying to detect executions by looking for FILE_EXECUTE in Iopb->Parameters.Create.SecurityContext->DesiredAccess during the pre-create callback.

Is there a way to filter out this case? Or a better way to detect executions of files?

Eric_Diven · October 22, 2008, 12:42pm

Have you tried looking at what happens when the file is actually
executed? I think you’ll probably see an
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION when it tries to map the file
in.

~Eric

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@cipafilter.com
Sent: Wednesday, October 22, 2008 12:39 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to determine if a file is being executed?

I hope this isn’t a repost, I seem to be having some issues with the
forums. If it is, sorry, and please reply to the original post.

My minifilter needs to detect file execution. It works pretty good, but
I’ve run into a seriouse problem… When a user browses a directory with
explorer all the exe and dll files are detected as executions… I
assume because explorer is opening them with EXEC permissions when it
reads their icons.

I am trying to detect executions by looking for FILE_EXECUTE in
Iopb->Parameters.Create.SecurityContext->DesiredAccess during the
pre-create callback.

Is there a way to filter out this case? Or a better way to detect
executions of files?

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@edsiohio.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Don_Burn_1 · October 22, 2008, 12:47pm

Have you looked at PsSetLoadImageNotify to see if it is being executed?

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
>I hope this isn’t a repost, I seem to be having some issues with the
>forums. If it is, sorry, and please reply to the original post.
>
> My minifilter needs to detect file execution. It works pretty good, but
> I’ve run into a seriouse problem… When a user browses a directory with
> explorer all the exe and dll files are detected as executions… I assume
> because explorer is opening them with EXEC permissions when it reads their
> icons.
>
> I am trying to detect executions by looking for FILE_EXECUTE in
> Iopb->Parameters.Create.SecurityContext->DesiredAccess during the
> pre-create callback.
>
> Is there a way to filter out this case? Or a better way to detect
> executions of files?
>

David_Hinkle1 · October 22, 2008, 1:13pm

Both of these look really useful, I’ll have to research them both. Is PsSetLoadImageNotify something I can call from my minifilter?

Don_Burn_1 · October 22, 2008, 1:16pm

Yes you can call PsSetLoadImageNotify from a mini-filter, in fact you can
call essentially all of the WDM type support routines.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> Both of these look really useful, I’ll have to research them both. Is
> PsSetLoadImageNotify something I can call from my minifilter?
>

David_Hinkle1 · October 22, 2008, 1:25pm

This looks like it would be a silver bullet for my problem, but is there any way to “cancel” the operation when using the PsSetLoadImageNotify callback like I can with PostCreate?

Don_Burn_1 · October 22, 2008, 1:30pm

Unfortunately no, by that point it is loaded into memory. You are going to
have to take Eric’s suggestion, and watch out for the idiots who open for
execute then map the file.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> This looks like it would be a silver bullet for my problem, but is there
> any way to “cancel” the operation when using the PsSetLoadImageNotify
> callback like I can with PostCreate?
>
>

David_Hinkle1 · October 22, 2008, 1:47pm

Thanks so much for your help Don and Eric, This is my first driver, and this project has been a real challenge for me. I’m looking at IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION. I assume this is called when a file is being mapped to ram. I see that I can check for executable permissions here by looking for the PAGE_EXECUTE flag in the PageProtection variable.

Can I fail this routine out like I do with the IRP_MJ_CREATE by setting Data->IoStatus.Status to STATUS_ACCESS_DENIED, Data->IoStatus.Information to 0? Or will IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION require a different incantation?

Petr_Kurtin · October 22, 2008, 5:51pm

my driver detects file execution in post-create operation callback:

bExec = FlagOn( accessMask, FILE_EXECUTE ) && !FlagOn( accessMask,
FILE_WRITE_DATA ) && !FlagOn( accessMask, FILE_READ_EA );

works from Win2k+ to WinSrv08
when you execute 16-bit apps, FILE_READ_EA is sometimes used, so then check
who opens this file (usually it’s ntvdm.exe)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@cipafilter.com
Sent: 22. ??jna 2008 19:49
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] How to determine if a file is being executed?

Thanks so much for your help Don and Eric, This is my first driver, and this
project has been a real challenge for me. I’m looking at
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION. I assume this is called when a
file is being mapped to ram. I see that I can check for executable
permissions here by looking for the PAGE_EXECUTE flag in the PageProtection
variable.

Can I fail this routine out like I do with the IRP_MJ_CREATE by setting
Data->IoStatus.Status to STATUS_ACCESS_DENIED, Data->IoStatus.Information to
0? Or will IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION require a different
incantation?

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · October 22, 2008, 11:07pm

hope this thread will help. http://www.osronline.com/ShowThread.cfm?link=105627

Sima

OSR_Community_User · October 23, 2008, 9:56am

Be aware that IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION does not catch 16-bit executables.
You will need to combine two approaches if you want to use SECTION_SYNCHRONIZATION for regular 32-bit EXEs and detect 16-bit EXEs at the same time.

Inaki.

-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de xxxxx@cipafilter.com
Enviado el: mi?rcoles, 22 de octubre de 2008 19:49
Para: Windows File Systems Devs Interest List
Asunto: RE:[ntfsd] How to determine if a file is being executed?

Thanks so much for your help Don and Eric, This is my first driver, and this project has been a real challenge for me. I’m looking at IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION. I assume this is called when a file is being mapped to ram. I see that I can check for executable permissions here by looking for the PAGE_EXECUTE flag in the PageProtection variable.

Can I fail this routine out like I do with the IRP_MJ_CREATE by setting Data->IoStatus.Status to STATUS_ACCESS_DENIED, Data->IoStatus.Information to 0? Or will IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION require a different incantation?

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@pandasecurity.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

David_Hinkle1 · October 24, 2008, 11:53am

I’m still trying to figure out this issue. I’ve started digging around with procmon on windowsxp. But it looks like none of the approaches disused so far will work to filter out what happens when explorer displays a directory and loads icons from all the files within it.

I’ve placed a copy of notepad in a test directory. When I navigate to that directory in explorer CreateFile is run on notepad twice with a desiredaccess of “Execute/Traverse, Synchronize”. Each of these opens is followed by a “FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION” operation with a page protection value of PAGE_EXECUTE.

When I double click the notepad icon, CreateFile is run 6 times: Once with “Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize”, 4 times with “Execute/Traverse, Synchronize” and once with “Execute/Traverse”.

All with associated FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION requesting PAGE_EXECUTE.

Peter, it doesn’t seem like any of the calls made when reading the icon asked for FILE_READ_EA, or FILE_WRITE access, does your driver filter out these file opens by explorer? Or does it just tolerate them on some other way?

Don, is FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION the same as IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION?

Thank you again for all your help everyone.

David