How to determine if the current IRP comes from the network?

xiaoxiao2021-03-06  53

Another brick, how to determine if the current IRP comes from the network? :

How to judge file access from the network from IrPstackLocation?

/ / -------------------------------------------------------------------------------------------- ---

NTSTATUS STATUS;

Paccess_token ptoken = null;

Ptoken_Source PtoKensRC = NULL;

Psecurity_subject_context secsubctX;

SecsubctX = & (Irpsp-> parameters.create.securityContext-> accessstate-> SubjectSectSecurityContext);

IF (SecsubctX-> ClientToken! = null || SecsubctX-> PrimaryToken! = NULL)

{

Ptoken = SEQUERYSUBJECTCONTEXTTOKEN (SECSUBCTX);

}

IF (ptoken == null)

{

// kdprint (("SequerySubjectContextToken ErrorN");

Return 0

}

//

// Get tokenSource Name if SourceName Is "NTLMSSP" IT WAS Logged-in Via LanManager,

// "User32" represents localy logged-in users.

//

__TRY

{

Status = SequeryInformationToken (Ptoken, TokenSource, & PtoKensrc);

IF (Nt_Success (status))

{

Ptokensrc-> SourceName [token_source_length-1] = 0x00;

Kdprint (("Token Name:% S len:% DN", Ptokensrc-> SourceName, Strlen (PtoKensRc-> SourceName))))

IF (_Tricmp (PtoKensRc-> SourceName, "NTLMSSP") == 0)

{

Kdprint (("NetWork Access Token Findn));

Return 123

}

}

Else

{

Kdprint (("SequeryinformationToken Error: 0x% XN", STATUS);

}

}

__finally

{

ExfreePool (ptokensrc);

}

Return 0

转载请注明原文地址:https://www.9cbs.com/read-116231.html

New Post(0)