Monitoring SMB file activity

c++ / delphi package - dll injection and api hooking
Post Reply
iPath
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Monitoring SMB file activity

Post by iPath »

Hi there :)

The idea is very simple: to monitor file access made via SMB and eventually denying it.
I suppose the Server service is calling CreateFile/NTOpenFile APIs. But when I hook all these and try to access a file on my computer from another via \\myComputer\myShare\myFile - I cannot see any entry in my log for that file.

May be the Server service is doing some of the stuff in the kernel?

Every idea will be appreciated :)

Regards,
Petar
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I don't really know where SMB is really running. Maybe its in kernel land. In that case madCodeHook won't be able to hook it. If it's in user land and if your hook dll is really injected system wide (even into all system processes), then hooking NtCreateFile + NtOpenFile should catch the file access.
iPath
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Post by iPath »

Thanks Madshi,
I'll look at the code to see if I am doing "really" system wide hooking. Also I'll try hooking NtCreateFile also.

p.s. I found Server service has kernel driver: srv.sys...may be all that stuff is going there :(
iPath
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Post by iPath »

It seems all the stuff is going to be in the Kernel :( I ran ProcMon (Sysinternals) and then noticed when I access the file \\myComputer\d$\test.vbs the SYSTEM process is doing CreateFile etc.

15:24:51.2907288 System 4 1844 D:\test.vbs CreateFile
15:24:51.2909173 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2909389 System 4 1844 D:\test.vbs QueryNetworkOpenInformationFile
15:24:51.2909713 System 4 1844 D:\test.vbs QueryEaInformationFile
15:24:51.2909992 System 4 1844 D:\test.vbs QueryStreamInformationFile
15:24:51.2910428 System 4 1844 D:\test.vbs QueryAttributeTagFile
15:24:51.2910702 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2911020 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2916141 System 4 1844 D:\test.vbs QueryFileInternalInformationFile
15:24:51.2921926 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2928478 System 4 1844 D:\test.vbs ReadFile
15:24:51.2928777 System 4 1844 D:\test.vbs ReadFile
15:24:51.2935437 System 4 1844 D:\test.vbs WriteFile
15:24:51.2935674 System 4 1844 D:\test.vbs WriteFile


The call stack:

Frame Module Location
0 fltmgr.sys FltpPerformPreCallbacks + 0x2d4
1 fltmgr.sys FltpPassThroughInternal + 0x32
2 fltmgr.sys FltpCreateInternal + 0x63
3 fltmgr.sys FltpCreate + 0x258
4 ntkrnlpa.exe IofCallDriver + 0x45
5 ntkrnlpa.exe IopParseDevice + 0xa35
6 ntkrnlpa.exe IopParseFile + 0x46
7 ntkrnlpa.exe ObpLookupObjectName + 0x11f
8 ntkrnlpa.exe ObOpenObjectByName + 0xea
9 ntkrnlpa.exe IopCreateFile + 0x447
10 ntkrnlpa.exe IoCreateFile + 0xa3
11 srv.sys srv.sys + 0x233f3
12 srv.sys srv.sys + 0x252e7
13 srv.sys srv.sys + 0x23b68
14 srv.sys srv.sys + 0x2e87

15 ntkrnlpa.exe PspSystemThreadStartup + 0x2e
16 ntkrnlpa.exe KiThreadStartup + 0x16

i.e. SRV.SYS is managing file access from the network (SMB) and there is no chance to get something in user mode...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

So you'll have to go driver land. Some years ago I've seen the source code of an old version of the SysInternal file monitor flying around the internet. If you want to go that way, a google search might find it for you as a good starting point...
iPath
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Post by iPath »

Thanks Madshi!
I'll google around :)
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

Not sure if i can post this link but here goes;

http://www.wasm.ru/baixado.php?mode=tool&id=283

FileMon / RegMon v4.3xx Sources, hopefully this is what you need.
iPath
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Post by iPath »

10x! I'll dig it :)
Post Reply