In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer
Now in my callout, in case the process that made the connection was svchost, I want to extract the SID of the service, or service name (the goal is to find the service name at the end, using service's SID or not). This is because a single svchost process can have multiple services, and I want to know which service caused this connection. I am accessing the token similar to below,
token = (PTOKEN_ACCESS_INFORMATION)inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID].value.tokenAccessInformation->data
originalSid = token->SidHash->SidAttr->Sid;
...
UNICODE_STRING sidString;
status = RtlConvertSidToUnicodeString(&sidString, originalSid, TRUE);
I tried to extract the SID from the FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID using RtlConvertSidToUnicodeString hoping it would be the service's SID, but it gives me the user's SID instead.
So my question is, in my callout or afterwards, in case an svchost process makes a connection, how can I find it's corresponding service name?
The windows firewall, which is WFP based seems to be able to get the service name of a connection, because you can have service-based rules in the firewall.
And some open source projects have user mode codes similar to below:
public ServiceNameFilterCondition(string serviceName)
: base(ConditionKeys.FWPM_CONDITION_ALE_USER_ID, FieldMatchType.FWP_MATCH_EQUAL, $"O:SYG:SYD:(A;;CCRC;;;{GetServiceSidFromName(serviceName)})")
{
}
So it seems like they are assuming ALE_USER_ID should contain service SID?
For example
In my WFP driver, I register a callout for the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer
Now in my callout, in case the process that made the connection was svchost, I want to extract the SID of the service, or service name (the goal is to find the service name at the end, using service's SID or not). This is because a single svchost process can have multiple services, and I want to know which service caused this connection. I am accessing the token similar to below,
token = (PTOKEN_ACCESS_INFORMATION)inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID].value.tokenAccessInformation->data
originalSid = token->SidHash->SidAttr->Sid;
...
UNICODE_STRING sidString;
status = RtlConvertSidToUnicodeString(&sidString, originalSid, TRUE);
I tried to extract the SID from the FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID using RtlConvertSidToUnicodeString hoping it would be the service's SID, but it gives me the user's SID instead.
So my question is, in my callout or afterwards, in case an svchost process makes a connection, how can I find it's corresponding service name?
The windows firewall, which is WFP based seems to be able to get the service name of a connection, because you can have service-based rules in the firewall.
And some open source projects have user mode codes similar to below:
public ServiceNameFilterCondition(string serviceName)
: base(ConditionKeys.FWPM_CONDITION_ALE_USER_ID, FieldMatchType.FWP_MATCH_EQUAL, $"O:SYG:SYD:(A;;CCRC;;;{GetServiceSidFromName(serviceName)})")
{
}
So it seems like they are assuming ALE_USER_ID should contain service SID?
For example https://github/pylorak/TinyWall
- learn.microsoft/en-us/sql/relational-databases/security/… community.osr/t/… ... – OneAndOnly Commented Nov 28, 2024 at 10:45
- @RemyLebeau ... I'm not sure why we are still wasting time talking when you can google pcsxcetrasupport3.wordpress/2013/09/08/… community.osr/t/… – OneAndOnly Commented Nov 28, 2024 at 10:59
1 Answer
Reset to default -1A single instance of svchost can run multiple services at a time, so there is not 1 single service name.
You will have to enumerate all of the running services and identify the ones that belong to the same PID that you already have. You can use EnumServicesStatusEx() for that task.