UNC Path - requestor process

Mark_Sharpe · January 29, 2018, 4:45am

Hello list,

I am working on a minifilter which logs who (process) opened a given file.
I noticed that if open the file using unc path e.g. \localhost\c$\monitoredDir\monitoredFile.ext the requestor process is system, I’m not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.

I understand this is because of how redirection works (as this could be network path):
PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object, fo1)
PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object, fo2)
POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object)
POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object)

I need to find a reliable way to get real requestor process of monitored file object.
I was trying to connect those 2 file objects (fo1, fo2) to get real requestor process of fo2, but it looks like they are independent, which makes sense.
I focused on local fs file objects as it is easier to determine whether they are interesting or not, based on their paths.
I could probably compare paths of fo1 and fo2 somewhere between 1st PRE create and 1st POST create but I am not sure if that is a good idea.

Is there a way to get the real requestor of fo2? Or I should change my thinking and try to determine whether fo1 path is local and interesting to me?

I would be very grateful for any help,
Mark

Gabriel_Bercea · January 29, 2018, 2:58pm

You need to think about it one step further.
What if you had a share on the OS your minifilter is installed and some
computer on the network accesses the share. There is no way to tell which
“process” on the computer on the network is requiring access.
All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the
FileObject as to know that the file has been opened over the network.
You could alternatively try to look at the syste-defined ECPs[1] and see if
any of the ones there help you in any way although I doubt it.

[1]
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/system-defined-ecps

Cheers,
Gabriel
www.kasardia.com

On Mon, Jan 29, 2018 at 10:46 AM, xxxxx@gmail.com
wrote:

> Hello list,
>
> I am working on a minifilter which logs who (process) opened a given file.
> I noticed that if open the file using unc path e.g.
> \localhost\c$\monitoredDir\monitoredFile.ext the requestor process is
> system, I’m not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.
>
> I understand this is because of how redirection works (as this could be
> network path):
> PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
> app.exe (not monitored file object, fo1)
> PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
> - system (monitored file object, fo2)
> POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
> - system (monitored file object)
> POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
> app.exe (not monitored file object)
>
> I need to find a reliable way to get real requestor process of monitored
> file object.
> I was trying to connect those 2 file objects (fo1, fo2) to get real
> requestor process of fo2, but it looks like they are independent, which
> makes sense.
> I focused on local fs file objects as it is easier to determine whether
> they are interesting or not, based on their paths.
> I could probably compare paths of fo1 and fo2 somewhere between 1st PRE
> create and 1st POST create but I am not sure if that is a good idea.
>
> Is there a way to get the real requestor of fo2? Or I should change my
> thinking and try to determine whether fo1 path is local and interesting to
> me?
>
> I would be very grateful for any help,
> Mark
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Bercea. G.</http:>

Mark_Sharpe · January 30, 2018, 5:11am

Thank you Gabriel,

Good point, I was focusing on local files accessed “remote-way” but that
case will make it even harder to link together the mentioned file objects.
I will try with your suggestions and update if it helps.

Best Regards,
Mark

2018-01-29 20:56 GMT+01:00 Gabriel Bercea <
xxxxx@lists.osr.com>:

> You need to think about it one step further.
> What if you had a share on the OS your minifilter is installed and some
> computer on the network accesses the share. There is no way to tell which
> “process” on the computer on the network is requiring access.
> All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the
> FileObject as to know that the file has been opened over the network.
> You could alternatively try to look at the syste-defined ECPs[1] and see
> if any of the ones there help you in any way although I doubt it.
>
> [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/
> ifs/system-defined-ecps
>
> Cheers,
> Gabriel
> www.kasardia.com
>
> On Mon, Jan 29, 2018 at 10:46 AM, xxxxx@gmail.com
> wrote:
>
>> Hello list,
>>
>> I am working on a minifilter which logs who (process) opened a given file.
>> I noticed that if open the file using unc path e.g.
>> \localhost\c$\monitoredDir\monitoredFile.ext the requestor process is
>> system, I’m not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.
>>
>> I understand this is because of how redirection works (as this could be
>> network path):
>> PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
>> app.exe (not monitored file object, fo1)
>> PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
>> - system (monitored file object, fo2)
>> POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
>> - system (monitored file object)
>> POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
>> app.exe (not monitored file object)
>>
>> I need to find a reliable way to get real requestor process of monitored
>> file object.
>> I was trying to connect those 2 file objects (fo1, fo2) to get real
>> requestor process of fo2, but it looks like they are independent, which
>> makes sense.
>> I focused on local fs file objects as it is easier to determine whether
>> they are interesting or not, based on their paths.
>> I could probably compare paths of fo1 and fo2 somewhere between 1st PRE
>> create and 1st POST create but I am not sure if that is a good idea.
>>
>> Is there a way to get the real requestor of fo2? Or I should change my
>> thinking and try to determine whether fo1 path is local and interesting to
>> me?
>>
>> I would be very grateful for any help,
>> Mark
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
>
>
> –
> Bercea. G.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>