To All,
This is my first post to this forum. So here goes...
I have an application that uses filesystemwatcher. The application works great, but I have found several ways to defeat the program.
The current application is monitoring a single file for any access using this:
fileWatcher.NotifyFilter = NotifyFilters.LastAccess;
and I have tried this:
fileWatcher.NotifyFilter = NotifyFilters.LastAccess | NotifyFilters.FileName ;
First way to defeat:
If a user open the file being monitored and click the "x" or selects "exit" from the file menu NO filesystemwatcher event is triggered. Even the Accessed timestamp of the file is not changed.
Second way to defeat:
If a user right-clicks on the file being monitored and selects copy from the contextmenu NO filesystemwatcher event is triggered.
Third way to defeat:
If a user right-clicks on the file being monitored and selects send to > mail recipient from the contextmenu NO filesystemwatcher event is triggered.
Does anyone know how I can catch these events?
THANKS IN ADVANCE FOR ANY HELP,
Intel96
-
-
Well, it seems that the actions you describe have no effect on the file itself.
1. If the application is closed with the x button, then the file was in no way modified, because most of the applications save the file on exit (or prompt for it).
2. If the file is being copied, then again, nothing happened to the file. It was just copied, not modified.
3. I believe it is the same as above.
As to how to catch the events... At the moment, no ideea. But why do you need to catch such events? -
littleguru
<3 Seattle
I don't know if those issues can be fixed. The FileSystemWatcher uses the native windows APIs to monitor the changes. It could probably be that already at that level the system doesn't work properly to have the events triggered appropriate.
-
julianbenjamin
Giggity
littleguru wrote:I don't know if those issues can be fixed. The FileSystemWatcher uses the native windows APIs to monitor the changes. It could probably be that already at that level the system doesn't work properly to have the events triggered appropriate.
These are not "issues". The FileSystemWatcher watches for changes to files. None of the scenarios given ever changes the file in question.
What exactly are you trying to do? -
Use api calls and a timer to find out whenever someone gets a handle to the file.
Hack, but should work. -
First, I know that filesystemwatcher is not designed to capture these events that I posted about.
The application that I am working on is for a security task that I need to accomplish for work.
I know that I could set some ACLs to prevent someone from accessing the file, but I want everyone to have access. I need to log each time the file is opened, copied or e-mail. Filesystemwatcher will catch opens, but only if the user save the file. The user is never going to save the file.
I am looking for some help in how to catch these events. Point to the create api, which I think is win32, but I have not idea what to look for in that api.
Thanks for any help.
Intel96
-
something like laying out bait in order to wait and see who's trying to steal it?
-
intel96 wrote:First, I know that filesystemwatcher is not designed to capture these events that I posted about.
The application that I am working on is for a security task that I need to accomplish for work.
I know that I could set some ACLs to prevent someone from accessing the file, but I want everyone to have access. I need to log each time the file is opened, copied or e-mail. Filesystemwatcher will catch opens, but only if the user save the file. The user is never going to save the file.
I am looking for some help in how to catch these events. Point to the create api, which I think is win32, but I have not idea what to look for in that api.
Thanks for any help.
Intel96
Research NetApi32:
You can find out if someone has a handle on the file using this enum, but you will need
1) Network permissions to do so
2) Have it run on a timer, so it may not be very effecient
[DllImport("Netapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
static extern int NetFileEnum(String servername,
String basepath,
String username,
int level,
ref IntPtr bufptr,
int prefmaxlen,
out int entriesread,
out int totalentries,
IntPtr resume_handle
);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]struct FILE_INFO_3
{public int fi3_id;
public int fi3_permission;
public int fi3_num_locks;
[MarshalAs(UnmanagedType.LPWStr)]
public string fi3_pathname;
[MarshalAs(UnmanagedType.LPWStr)]
public string fi3_username;}
[DllImport("Netapi32.dll", SetLastError = true)]
static extern int NetApiBufferFree(IntPtr Buffer);
const int MAX_PREFERRED_LENGTH = -1;
int dwReadEntries;
int dwTotalEntries;
IntPtr pBuffer = IntPtr.Zero ;
FILE_INFO_3 pCurrent = new FILE_INFO_3();int dwStatus = NetFileEnum(_serverName, _basePath, _userName, 3, ref pBuffer, MAX_PREFERRED_LENGTH, out dwReadEntries, out dwTotalEntries, IntPtr.Zero);
-
you could also hook into the open files command from the command prompt (and prolly from PowerShell),
OpenFiles /Query /s <server> /U <domain\username> /P <password>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/openfiles.mspx?mfr=true -
figuerres
???
intel96 wrote:First, I know that filesystemwatcher is not designed to capture these events that I posted about.
The application that I am working on is for a security task that I need to accomplish for work.
I know that I could set some ACLs to prevent someone from accessing the file, but I want everyone to have access. I need to log each time the file is opened, copied or e-mail. Filesystemwatcher will catch opens, but only if the user save the file. The user is never going to save the file.
I am looking for some help in how to catch these events. Point to the create api, which I think is win32, but I have not idea what to look for in that api.
Thanks for any help.
Intel96
Perhaps if you could better describe what needs to happen we might have other ways to solve this?
for example:
I need to list each user who has read the file or emailed it.
perhaps leaving the file on the network is not the best way to do the job?
can you use somehting like sharepoint web to allow users to "checkout" the file ?
that would I think track the access and allow read permissions.
do you need to leave the file out there as a kind of "Honeypot" to see who is trying to do something they have been told not to do?
a better description might lead to a better answer. -
Ok the application is a honeypot, which places a honeytoken (file) out on a share for the world. Anyone can access the share, but the folder called whatever should never be opened by anyone. The file in the folder should NEVER be touched by anyone.
If someone browses the folder and opens, copies or emails the file I need to know. I have several alerts pieces working (e-mail, net send, event logs, snmp, sms) that tell me when someone does any filesystemwatcher event being monitored, but the items that I need to catch are out of scope for the filesystemwatcher class.
Intel96 -
intel96 wrote:
I know that I could set some ACLs to prevent someone from accessing the file, but I want everyone to have access. I need to log each time the file is opened, copied or e-mail. Filesystemwatcher will catch opens, but only if the user save the file. The user is never going to save the file.
NT can do this for you. Simply enable file event auditing and set an appropriate SACL on the file. Job done.
-
I am monitoring the file remotely on a fileshare on a main server.
I know I can set an ACL file.
I know that I can enable auditing on the file.
I want to monitor the file with a standalone application that cannot be defeated if someone hack the admin password on the remote system or has admin rights already.
-
CannotResolveSymbol
Microsoft: Who do you want to execute today?
intel96 wrote:I am monitoring the file remotely on a fileshare on a main server.
I know I can set an ACL file.
I know that I can enable auditing on the file.
I want to monitor the file with a standalone application that cannot be defeated if someone hack the admin password on the remote system or has admin rights already.
But if they have admin rights, then they could just close the standalone application... -
No they cannot bypass the application, because they do not know that it is being used. I am connected to the main share remotely and monitoring a subfolder within that share.
Yes, I am sure they could run from the command-line "net session" to see who is connected to the system. But they are only going to see that I am connected to main share along with everyone else.
If they fails I can run the application as a service with some coolname. IMHO must admins have not IDEA what is running on their systems, I should know, because I always question them.
-
phreaks,
I want to put your code example into a class called NetFile. Can you provide me some details on how to use you code example from this class? -
intel96 wrote: phreaks,
I want to put your code example into a class called NetFile. Can you provide me some details on how to use you code example from this class?
Ya know, now that I think of this, I believe that you could prolly use FileMon from SysInternals to accomplish this task. Why reinvent the wheel?
I think you can script it to write to a log as well.
http://www.microsoft.com/technet/sysinternals/utilities/Filemon.mspx -
CannotResolveSymbol
Microsoft: Who do you want to execute today?
intel96 wrote:No they cannot bypass the application, because they do not know that it is being used. I am connected to the main share remotely and monitoring a subfolder within that share.
Yes, I am sure they could run from the command-line "net session" to see who is connected to the system. But they are only going to see that I am connected to main share along with everyone else.
If they fails I can run the application as a service with some coolname. IMHO must admins have not IDEA what is running on their systems, I should know, because I always question them.
Ah, I see. I thought this would be running on the local computer, not on a remote machine.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.