admin管理员组文章数量:1430609
In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer
Now in my callout, in case the process that made the connection was svchost, I want to extract the SID of the service, or service name (the goal is to find the service name at the end, using service's SID or not). This is because a single svchost process can have multiple services, and I want to know which service caused this connection. I am accessing the token similar to below,
token = (PTOKEN_ACCESS_INFORMATION)inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID].value.tokenAccessInformation->data
originalSid = token->SidHash->SidAttr->Sid;
...
UNICODE_STRING sidString;
status = RtlConvertSidToUnicodeString(&sidString, originalSid, TRUE);
I tried to extract the SID from the FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID using RtlConvertSidToUnicodeString hoping it would be the service's SID, but it gives me the user's SID instead.
So my question is, in my callout or afterwards, in case an svchost process makes a connection, how can I find it's corresponding service name?
The windows firewall, which is WFP based seems to be able to get the service name of a connection, because you can have service-based rules in the firewall.
And some open source projects have user mode codes similar to below:
public ServiceNameFilterCondition(string serviceName)
: base(ConditionKeys.FWPM_CONDITION_ALE_USER_ID, FieldMatchType.FWP_MATCH_EQUAL, $"O:SYG:SYD:(A;;CCRC;;;{GetServiceSidFromName(serviceName)})")
{
}
So it seems like they are assuming ALE_USER_ID should contain service SID?
For example
In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer
Now in my callout, in case the process that made the connection was svchost, I want to extract the SID of the service, or service name (the goal is to find the service name at the end, using service's SID or not). This is because a single svchost process can have multiple services, and I want to know which service caused this connection. I am accessing the token similar to below,
token = (PTOKEN_ACCESS_INFORMATION)inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID].value.tokenAccessInformation->data
originalSid = token->SidHash->SidAttr->Sid;
...
UNICODE_STRING sidString;
status = RtlConvertSidToUnicodeString(&sidString, originalSid, TRUE);
I tried to extract the SID from the FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID using RtlConvertSidToUnicodeString hoping it would be the service's SID, but it gives me the user's SID instead.
So my question is, in my callout or afterwards, in case an svchost process makes a connection, how can I find it's corresponding service name?
The windows firewall, which is WFP based seems to be able to get the service name of a connection, because you can have service-based rules in the firewall.
And some open source projects have user mode codes similar to below:
public ServiceNameFilterCondition(string serviceName)
: base(ConditionKeys.FWPM_CONDITION_ALE_USER_ID, FieldMatchType.FWP_MATCH_EQUAL, $"O:SYG:SYD:(A;;CCRC;;;{GetServiceSidFromName(serviceName)})")
{
}
So it seems like they are assuming ALE_USER_ID should contain service SID?
For example https://github/pylorak/TinyWall
- learn.microsoft/en-us/sql/relational-databases/security/… community.osr/t/… ... – OneAndOnly Commented Nov 28, 2024 at 10:45
- @RemyLebeau ... I'm not sure why we are still wasting time talking when you can google pcsxcetrasupport3.wordpress/2013/09/08/… community.osr/t/… – OneAndOnly Commented Nov 28, 2024 at 10:59
1 Answer
Reset to default -1A single instance of svchost can run multiple services at a time, so there is not 1 single service name.
You will have to enumerate all of the running services and identify the ones that belong to the same PID that you already have. You can use EnumServicesStatusEx() for that task.
本文标签:
版权声明:本文标题:wdk - How to find the service name corresponding to a svchost process in my WFP driver's ALE Callout? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745516324a2661560.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论