在做文件过滤驱动的时候,经常会想知道这个文件访问请求是来自本地还是网络的,这样就可以根据自己制定的安全策略,决定是否允许这些请求完成,因 此,成功的判断来自网络的文件访问就十分必要了。刚刚从驱网bmyyyud的Blog那里看到的一篇相关文章,还没有来得及测试,先转载过来吧,有空试 试。
//---------------------------------------------------
//从IrpStackLocation中判断来自网络的文件访问
BOOLEAN SfIsFromNetAccess(
PIO_STACK_LOCATION IrpSp
)
{
NTSTATUS status;
PACCESS_TOKEN pToken = NULL;
PTOKEN_SOURCE pTokenSrc = NULL ;
PSECURITY_SUBJECT_CONTEXT secSubCtx;
//PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp);
secSubCtx = &(IrpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext);
if (secSubCtx->ClientToken != NULL || secSubCtx->PrimaryToken != NULL)
{
pToken = SeQuerySubjectContextToken(secSubCtx);
}
if (pToken == NULL)
{
//KdPrint(("SeQuerySubjectContextToken Errorn"));
return FALSE;
}
//
// Get TokenSource Name If SourceName is "NtLmSsp" it was logged-in via Lanmanager,
// "User32" represents localy logged-in users.
//
__try
{
status = SeQueryInformationToken(pToken,TokenSource,&pTokenSrc);
if (NT_SUCCESS(status))
{
pTokenSrc->SourceName[TOKEN_SOURCE_LENGTH-1] = 0x00;
KdPrint(("Token Name :%s Len:%dn",pTokenSrc->SourceName,strlen(pTokenSrc->SourceName)));
if (_stricmp(pTokenSrc->SourceName,"NtLmSsp") == 0 )
{
KdPrint(("NetWork Access Token Findn"));
return TRUE;
}
}
else
{
KdPrint(("SeQueryInformationToken Error:0x%xn",status));
}
}
__finally
{
ExFreePool(pTokenSrc);
}
return FALSE;
}
没有评论:
发表评论