Another brick, how to determine if the current IRP comes from the network? :
How to judge file access from the network from IrPstackLocation?
/ / -------------------------------------------------------------------------------------------- ---
NTSTATUS STATUS;
Paccess_token ptoken = null;
Ptoken_Source PtoKensRC = NULL;
Psecurity_subject_context secsubctX;
SecsubctX = & (Irpsp-> parameters.create.securityContext-> accessstate-> SubjectSectSecurityContext);
IF (SecsubctX-> ClientToken! = null || SecsubctX-> PrimaryToken! = NULL)
{
Ptoken = SEQUERYSUBJECTCONTEXTTOKEN (SECSUBCTX);
}
IF (ptoken == null)
{
// kdprint (("SequerySubjectContextToken ErrorN");
Return 0
}
//
// Get tokenSource Name if SourceName Is "NTLMSSP" IT WAS Logged-in Via LanManager,
// "User32" represents localy logged-in users.
//
__TRY
{
Status = SequeryInformationToken (Ptoken, TokenSource, & PtoKensrc);
IF (Nt_Success (status))
{
Ptokensrc-> SourceName [token_source_length-1] = 0x00;
Kdprint (("Token Name:% S len:% DN", Ptokensrc-> SourceName, Strlen (PtoKensRc-> SourceName))))
IF (_Tricmp (PtoKensRc-> SourceName, "NTLMSSP") == 0)
{
Kdprint (("NetWork Access Token Findn));
Return 123
}
}
Else
{
Kdprint (("SequeryinformationToken Error: 0x% XN", STATUS);
}
}
__finally
{
ExfreePool (ptokensrc);
}
Return 0