File Minifilter part 3: How to know if current I/O request is from network in a file minifilter

This article is the part of series I started out to share my own difficulties faced while writing a file mini filter driver. Today I shall discuss how to find out if the current I/O request is comming from outside the local machine i.e. network.

One pretty easy way is to find the source of the current session. In a simple network there can be three sources.

  1. NTLMSSP (NT lan manager)
  2. SYSTEM (system user services and processes)
  3. USER32 ( all the prcesses running in the user space

The key here is to find this source if it is NTLM ( default lan manager on windows machine, some  network might use kerberos but its pretty easy to figure out once we get the source of the current I/O request’s session) then the current I/O request is comming from network e.g trying to access some shared folder. 

In case of SID we needed TOKEN_USER whereas here we are looking for  TOKEN_SOURCE  information associated with the current request.

Get token information as follows

PFLT_CALLBACK_DATA Data //comming from callback parameter

TOKEN_SOURCE **ppSource;
PACCESS_TOKEN pToken =  SeQuerySubjectContextToken(&(Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext));
status = SeQueryInformationToken(pToken,TokenSource,ppSource);

TOKEN_SOURCE’s SourceName member contains the name of the source we are looking for, if it is NTLMSSP then the current request is comming from the network.

Explore posts in the same categories: Programming

Tags: ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: