Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Minifilter - STATUS_REPARSE .exe files (win 10 x64) ?

Hey all,

I have the following scenario:

Say a user wants to execute 'a.exe', I would like to change his request to open 'b.exe' instead.
I've tried doing so with IO_REPARSE + STATUS_REPARSE in my fs minifilter (plus disallowing fastio), but it doesn't seem to work.

Procmon and filespy show reparses as expected, but CreateProcess still gets 'a.exe' in its command line.
It seems as though later, when the loader maps the file to memory, the reparse takes affect and 'b.exe' gets mapped, but then the thread terminates and I get errors varying from 'side-by-side configuration is incorrect' to process crashes.

Is that a problem that is possible to tackle using fs minifilters at all ?
Either way, I would really like your pointers.

Thanks a lot,
Danny

Comments

  • Is there a reason why you are not "just" changing the name in the file
    object and passing the request down?
  • Hey Rod,

    I tried just changing the name in the file object (without setting STATUS_REPARSE) and it doesn't seem to work (Should it though ?).
    What I get now is a mix of STATUS_OBJECT_NAME_NOT_FOUND and failures.

    Still couldn't figure out my next step - would really appreciate your helping hand !
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!