madshi.net

high quality low level programming
http://forum.madshi.net/

Monitoring SMB file activity

http://forum.madshi.net/viewtopic.php?f=7&t=5292

Page 1 of 1

Monitoring SMB file activity

Posted: Sun Jul 04, 2010 2:05 pm
by iPath
Hi there :)

The idea is very simple: to monitor file access made via SMB and eventually denying it.
I suppose the Server service is calling CreateFile/NTOpenFile APIs. But when I hook all these and try to access a file on my computer from another via \\myComputer\myShare\myFile - I cannot see any entry in my log for that file.

May be the Server service is doing some of the stuff in the kernel?

Every idea will be appreciated :)

Regards,
Petar

Posted: Wed Jul 07, 2010 9:40 am
by madshi
I don't really know where SMB is really running. Maybe its in kernel land. In that case madCodeHook won't be able to hook it. If it's in user land and if your hook dll is really injected system wide (even into all system processes), then hooking NtCreateFile + NtOpenFile should catch the file access.

Posted: Wed Jul 07, 2010 12:37 pm
by iPath
Thanks Madshi,
I'll look at the code to see if I am doing "really" system wide hooking. Also I'll try hooking NtCreateFile also.

p.s. I found Server service has kernel driver: srv.sys...may be all that stuff is going there :(

Posted: Mon Jul 12, 2010 2:00 pm
by iPath
It seems all the stuff is going to be in the Kernel :( I ran ProcMon (Sysinternals) and then noticed when I access the file \\myComputer\d$\test.vbs the SYSTEM process is doing CreateFile etc.

15:24:51.2907288 System 4 1844 D:\test.vbs CreateFile
15:24:51.2909173 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2909389 System 4 1844 D:\test.vbs QueryNetworkOpenInformationFile
15:24:51.2909713 System 4 1844 D:\test.vbs QueryEaInformationFile
15:24:51.2909992 System 4 1844 D:\test.vbs QueryStreamInformationFile
15:24:51.2910428 System 4 1844 D:\test.vbs QueryAttributeTagFile
15:24:51.2910702 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2911020 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2916141 System 4 1844 D:\test.vbs QueryFileInternalInformationFile
15:24:51.2921926 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2928478 System 4 1844 D:\test.vbs ReadFile
15:24:51.2928777 System 4 1844 D:\test.vbs ReadFile
15:24:51.2935437 System 4 1844 D:\test.vbs WriteFile
15:24:51.2935674 System 4 1844 D:\test.vbs WriteFile


The call stack:

Frame Module Location
0 fltmgr.sys FltpPerformPreCallbacks + 0x2d4
1 fltmgr.sys FltpPassThroughInternal + 0x32
2 fltmgr.sys FltpCreateInternal + 0x63
3 fltmgr.sys FltpCreate + 0x258
4 ntkrnlpa.exe IofCallDriver + 0x45
5 ntkrnlpa.exe IopParseDevice + 0xa35
6 ntkrnlpa.exe IopParseFile + 0x46
7 ntkrnlpa.exe ObpLookupObjectName + 0x11f
8 ntkrnlpa.exe ObOpenObjectByName + 0xea
9 ntkrnlpa.exe IopCreateFile + 0x447
10 ntkrnlpa.exe IoCreateFile + 0xa3
11 srv.sys srv.sys + 0x233f3
12 srv.sys srv.sys + 0x252e7
13 srv.sys srv.sys + 0x23b68
14 srv.sys srv.sys + 0x2e87
15 ntkrnlpa.exe PspSystemThreadStartup + 0x2e
16 ntkrnlpa.exe KiThreadStartup + 0x16

i.e. SRV.SYS is managing file access from the network (SMB) and there is no chance to get something in user mode...

Posted: Mon Jul 12, 2010 5:36 pm
by madshi
So you'll have to go driver land. Some years ago I've seen the source code of an old version of the SysInternal file monitor flying around the internet. If you want to go that way, a google search might find it for you as a good starting point...

Posted: Mon Jul 12, 2010 6:18 pm
by iPath
Thanks Madshi!
I'll google around :)

Posted: Mon Jul 12, 2010 6:20 pm
by aiwnjoo
Not sure if i can post this link but here goes;

http://www.wasm.ru/baixado.php?mode=tool&id=283

FileMon / RegMon v4.3xx Sources, hopefully this is what you need.

Posted: Mon Jul 12, 2010 8:37 pm
by iPath
10x! I'll dig it :)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited