Monitoring SMB file activity
Monitoring SMB file activity
Hi there
The idea is very simple: to monitor file access made via SMB and eventually denying it.
I suppose the Server service is calling CreateFile/NTOpenFile APIs. But when I hook all these and try to access a file on my computer from another via \\myComputer\myShare\myFile - I cannot see any entry in my log for that file.
May be the Server service is doing some of the stuff in the kernel?
Every idea will be appreciated
Regards,
Petar
The idea is very simple: to monitor file access made via SMB and eventually denying it.
I suppose the Server service is calling CreateFile/NTOpenFile APIs. But when I hook all these and try to access a file on my computer from another via \\myComputer\myShare\myFile - I cannot see any entry in my log for that file.
May be the Server service is doing some of the stuff in the kernel?
Every idea will be appreciated
Regards,
Petar
I don't really know where SMB is really running. Maybe its in kernel land. In that case madCodeHook won't be able to hook it. If it's in user land and if your hook dll is really injected system wide (even into all system processes), then hooking NtCreateFile + NtOpenFile should catch the file access.
It seems all the stuff is going to be in the Kernel I ran ProcMon (Sysinternals) and then noticed when I access the file \\myComputer\d$\test.vbs the SYSTEM process is doing CreateFile etc.
15:24:51.2907288 System 4 1844 D:\test.vbs CreateFile
15:24:51.2909173 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2909389 System 4 1844 D:\test.vbs QueryNetworkOpenInformationFile
15:24:51.2909713 System 4 1844 D:\test.vbs QueryEaInformationFile
15:24:51.2909992 System 4 1844 D:\test.vbs QueryStreamInformationFile
15:24:51.2910428 System 4 1844 D:\test.vbs QueryAttributeTagFile
15:24:51.2910702 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2911020 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2916141 System 4 1844 D:\test.vbs QueryFileInternalInformationFile
15:24:51.2921926 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2928478 System 4 1844 D:\test.vbs ReadFile
15:24:51.2928777 System 4 1844 D:\test.vbs ReadFile
15:24:51.2935437 System 4 1844 D:\test.vbs WriteFile
15:24:51.2935674 System 4 1844 D:\test.vbs WriteFile
The call stack:
Frame Module Location
0 fltmgr.sys FltpPerformPreCallbacks + 0x2d4
1 fltmgr.sys FltpPassThroughInternal + 0x32
2 fltmgr.sys FltpCreateInternal + 0x63
3 fltmgr.sys FltpCreate + 0x258
4 ntkrnlpa.exe IofCallDriver + 0x45
5 ntkrnlpa.exe IopParseDevice + 0xa35
6 ntkrnlpa.exe IopParseFile + 0x46
7 ntkrnlpa.exe ObpLookupObjectName + 0x11f
8 ntkrnlpa.exe ObOpenObjectByName + 0xea
9 ntkrnlpa.exe IopCreateFile + 0x447
10 ntkrnlpa.exe IoCreateFile + 0xa3
11 srv.sys srv.sys + 0x233f3
12 srv.sys srv.sys + 0x252e7
13 srv.sys srv.sys + 0x23b68
14 srv.sys srv.sys + 0x2e87
15 ntkrnlpa.exe PspSystemThreadStartup + 0x2e
16 ntkrnlpa.exe KiThreadStartup + 0x16
i.e. SRV.SYS is managing file access from the network (SMB) and there is no chance to get something in user mode...
15:24:51.2907288 System 4 1844 D:\test.vbs CreateFile
15:24:51.2909173 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2909389 System 4 1844 D:\test.vbs QueryNetworkOpenInformationFile
15:24:51.2909713 System 4 1844 D:\test.vbs QueryEaInformationFile
15:24:51.2909992 System 4 1844 D:\test.vbs QueryStreamInformationFile
15:24:51.2910428 System 4 1844 D:\test.vbs QueryAttributeTagFile
15:24:51.2910702 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2911020 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2916141 System 4 1844 D:\test.vbs QueryFileInternalInformationFile
15:24:51.2921926 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2928478 System 4 1844 D:\test.vbs ReadFile
15:24:51.2928777 System 4 1844 D:\test.vbs ReadFile
15:24:51.2935437 System 4 1844 D:\test.vbs WriteFile
15:24:51.2935674 System 4 1844 D:\test.vbs WriteFile
The call stack:
Frame Module Location
0 fltmgr.sys FltpPerformPreCallbacks + 0x2d4
1 fltmgr.sys FltpPassThroughInternal + 0x32
2 fltmgr.sys FltpCreateInternal + 0x63
3 fltmgr.sys FltpCreate + 0x258
4 ntkrnlpa.exe IofCallDriver + 0x45
5 ntkrnlpa.exe IopParseDevice + 0xa35
6 ntkrnlpa.exe IopParseFile + 0x46
7 ntkrnlpa.exe ObpLookupObjectName + 0x11f
8 ntkrnlpa.exe ObOpenObjectByName + 0xea
9 ntkrnlpa.exe IopCreateFile + 0x447
10 ntkrnlpa.exe IoCreateFile + 0xa3
11 srv.sys srv.sys + 0x233f3
12 srv.sys srv.sys + 0x252e7
13 srv.sys srv.sys + 0x23b68
14 srv.sys srv.sys + 0x2e87
15 ntkrnlpa.exe PspSystemThreadStartup + 0x2e
16 ntkrnlpa.exe KiThreadStartup + 0x16
i.e. SRV.SYS is managing file access from the network (SMB) and there is no chance to get something in user mode...
Not sure if i can post this link but here goes;
http://www.wasm.ru/baixado.php?mode=tool&id=283
FileMon / RegMon v4.3xx Sources, hopefully this is what you need.
http://www.wasm.ru/baixado.php?mode=tool&id=283
FileMon / RegMon v4.3xx Sources, hopefully this is what you need.