Monitoring SMB file activity

c++ / delphi package - dll injection and api hooking

Monitoring SMB file activity

Postby iPath » Sun Jul 04, 2010 2:05 pm

Hi there :)

The idea is very simple: to monitor file access made via SMB and eventually denying it.
I suppose the Server service is calling CreateFile/NTOpenFile APIs. But when I hook all these and try to access a file on my computer from another via \\myComputer\myShare\myFile - I cannot see any entry in my log for that file.

May be the Server service is doing some of the stuff in the kernel?

Every idea will be appreciated :)

Regards,
Petar
iPath
 
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Postby madshi » Wed Jul 07, 2010 9:40 am

I don't really know where SMB is really running. Maybe its in kernel land. In that case madCodeHook won't be able to hook it. If it's in user land and if your hook dll is really injected system wide (even into all system processes), then hooking NtCreateFile + NtOpenFile should catch the file access.
madshi
Site Admin
 
Posts: 9506
Joined: Sun Mar 21, 2004 5:25 pm

Postby iPath » Wed Jul 07, 2010 12:37 pm

Thanks Madshi,
I'll look at the code to see if I am doing "really" system wide hooking. Also I'll try hooking NtCreateFile also.

p.s. I found Server service has kernel driver: srv.sys...may be all that stuff is going there :(
iPath
 
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Postby iPath » Mon Jul 12, 2010 2:00 pm

It seems all the stuff is going to be in the Kernel :( I ran ProcMon (Sysinternals) and then noticed when I access the file \\myComputer\d$\test.vbs the SYSTEM process is doing CreateFile etc.

15:24:51.2907288 System 4 1844 D:\test.vbs CreateFile
15:24:51.2909173 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2909389 System 4 1844 D:\test.vbs QueryNetworkOpenInformationFile
15:24:51.2909713 System 4 1844 D:\test.vbs QueryEaInformationFile
15:24:51.2909992 System 4 1844 D:\test.vbs QueryStreamInformationFile
15:24:51.2910428 System 4 1844 D:\test.vbs QueryAttributeTagFile
15:24:51.2910702 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2911020 System 4 1844 D:\test.vbs QuerySecurityFile
15:24:51.2916141 System 4 1844 D:\test.vbs QueryFileInternalInformationFile
15:24:51.2921926 System 4 1844 D:\test.vbs FileSystemControl
15:24:51.2928478 System 4 1844 D:\test.vbs ReadFile
15:24:51.2928777 System 4 1844 D:\test.vbs ReadFile
15:24:51.2935437 System 4 1844 D:\test.vbs WriteFile
15:24:51.2935674 System 4 1844 D:\test.vbs WriteFile


The call stack:

Frame Module Location
0 fltmgr.sys FltpPerformPreCallbacks + 0x2d4
1 fltmgr.sys FltpPassThroughInternal + 0x32
2 fltmgr.sys FltpCreateInternal + 0x63
3 fltmgr.sys FltpCreate + 0x258
4 ntkrnlpa.exe IofCallDriver + 0x45
5 ntkrnlpa.exe IopParseDevice + 0xa35
6 ntkrnlpa.exe IopParseFile + 0x46
7 ntkrnlpa.exe ObpLookupObjectName + 0x11f
8 ntkrnlpa.exe ObOpenObjectByName + 0xea
9 ntkrnlpa.exe IopCreateFile + 0x447
10 ntkrnlpa.exe IoCreateFile + 0xa3
11 srv.sys srv.sys + 0x233f3
12 srv.sys srv.sys + 0x252e7
13 srv.sys srv.sys + 0x23b68
14 srv.sys srv.sys + 0x2e87

15 ntkrnlpa.exe PspSystemThreadStartup + 0x2e
16 ntkrnlpa.exe KiThreadStartup + 0x16

i.e. SRV.SYS is managing file access from the network (SMB) and there is no chance to get something in user mode...
iPath
 
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Postby madshi » Mon Jul 12, 2010 5:36 pm

So you'll have to go driver land. Some years ago I've seen the source code of an old version of the SysInternal file monitor flying around the internet. If you want to go that way, a google search might find it for you as a good starting point...
madshi
Site Admin
 
Posts: 9506
Joined: Sun Mar 21, 2004 5:25 pm

Postby iPath » Mon Jul 12, 2010 6:18 pm

Thanks Madshi!
I'll google around :)
iPath
 
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm

Postby aiwnjoo » Mon Jul 12, 2010 6:20 pm

Not sure if i can post this link but here goes;

http://www.wasm.ru/baixado.php?mode=tool&id=283

FileMon / RegMon v4.3xx Sources, hopefully this is what you need.
aiwnjoo
 
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Postby iPath » Mon Jul 12, 2010 8:37 pm

10x! I'll dig it :)
iPath
 
Posts: 25
Joined: Sat Dec 12, 2009 4:48 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 3 guests