legacy driver and FS device stack

Gabriel_Bercea · March 12, 2008, 9:28pm

I am writting a legacy file system filter driver, with the objective of protecting and backing up certain files. I was wondering what would happen and how can I prevent from happening if another driver, will send some requests directly to the lowest device in the fs chain, and I would not get to process them. is this possible ?

OSR_Community_User · March 12, 2008, 9:36pm

File systems/file system filters are not my thing, but this is just a
basic filter driver question that comes up a lot.

You really can’t prevent someone else from attaching as they wish in
a general, safe way, and definitely shouldn’t attempt to block other
drivers from attaching to anything that you do not own, as it’s more
than a little hostile, and you have absolutely no way of predicting what
any software that depends on the blocked filter’s known implementation’s
behavior will react. Don’t do this.
If you’re filter is implemented correctly, then there should be no
change, as you won’t see the requests.

Good luck,

mm

xxxxx@gmail.com wrote:

I am writting a legacy file system filter driver, with the objective of protecting and backing up certain files.
> was wondering what would happen and how can I prevent from happening
if another driver, will send some requests directly to the lowest device
in the fs chain, and I would not get to process them. is this possible ?

Gabriel_Bercea · March 13, 2008, 7:23am

My issue was, what if a mallicious, kernel mode application, is sending request to the device on the bottom of the stack, without attaching or anything (just rolling IRP and call IoCallDriver), and attending to alter one of my files, then my protection would not offer 100% safety.
Thank you for you answer MM

OSR_Community_User · March 13, 2008, 7:59am

Antimalware cannot provide 100% protection by its very definition.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> My issue was, what if a mallicious, kernel mode application, is sending
request to the device on the bottom of the stack, without attaching or anything
(just rolling IRP and call IoCallDriver), and attending to alter one of my
files, then my protection would not offer 100% safety.
> Thank you for you answer MM
>

Gabriel_Bercea · March 13, 2008, 9:26am

OK. Thank you Maxim. This certainly takes off some pressure.