Identify file operations with missing files

Hi all,

I am trying to identify file read operations with missing files in a particular folder. For that I am using IRP_MJ_CREATE and I am performing the following logic in the FLT_PREOP_CALLBACK:

I call the functions FltGetFileNameInformation(), FltParseFileNameInformation() and verify if the path of the object belongs to my desired folder, if so I call FltCreateFile().

Now, I assume three possible status for the FltCreateFile() method: SUCCESS, everything is fine; STATUS_OBJECT_NAME_NOT_FOUND, the file does not exists in the file system so I print a message informing that the file is missing; And finally, any other error, I simply print a message informing that an error ocurred.

My question is: is this the correct approach?

The reason why I ask this is because I am having some problems.

For instance, if I create a folder “New folder” inside my watched directory, I get several events for the objects “New folder\desktop.ini”, “folder.jpg” and “folder.gif” that when opened return STATUS_OBJECT_NAME_NOT_FOUND, so I flag them as missing files. In order to solve this when I verify the path of the object, I simply verify if the final component corresponds to “desktop.ini”, “folder.jpg” and “folder.gif”, and if so I ignore it.

Other problem I have is when opening a file that exists, I get an event for an object with the name “test.txt:Zone.Identifier”, again, to solve this I am ignoring files with the string “:Zone.Identifier” in the final component.

When I also create a file in the folder (by copy/pasting or right click > new > file) I also get some events that later, when opening the file get STATUS_OBJECT_NAME_NOT_FOUND…

Is this the correct way to do this? or there is a better approach?

Thanks for any input.

I am not sure I understand what you are trying to accomplish here.
What does “identify file read operations with missing files in a particular
folder” mean ?
If the files are present in the folder then the Create request will succeed
otherwise it will return an error. Simply check the Post-Create
Data->IoStatus.Status value and see if the operation failed and with what
code.
Calling FltGetFileNameInformation in Pre Create, this will simply try to
open the file and query the name, among many other things, but just to cut
it short for your scenario.

Also you need to describe better what you want to do. It is very vague and
abstract.

Cheers,
Gabriel
www.kasardia.com

On Tue, Jan 30, 2018 at 12:20 PM, xxxxx@isep.ipp.pt
wrote:

> Hi all,
>
> I am trying to identify file read operations with missing files in a
> particular folder. For that I am using IRP_MJ_CREATE and I am performing
> the following logic in the FLT_PREOP_CALLBACK:
>
> I call the functions FltGetFileNameInformation(),
> FltParseFileNameInformation() and verify if the path of the object belongs
> to my desired folder, if so I call FltCreateFile().
>
> Now, I assume three possible status for the FltCreateFile() method:
> SUCCESS, everything is fine; STATUS_OBJECT_NAME_NOT_FOUND, the file does
> not exists in the file system so I print a message informing that the file
> is missing; And finally, any other error, I simply print a message
> informing that an error ocurred.
>
> My question is: is this the correct approach?
>
> The reason why I ask this is because I am having some problems.
>
> For instance, if I create a folder “New folder” inside my watched
> directory, I get several events for the objects “New folder\desktop.ini”,
> “folder.jpg” and “folder.gif” that when opened return
> STATUS_OBJECT_NAME_NOT_FOUND, so I flag them as missing files. In order to
> solve this when I verify the path of the object, I simply verify if the
> final component corresponds to “desktop.ini”, “folder.jpg” and
> “folder.gif”, and if so I ignore it.
>
> Other problem I have is when opening a file that exists, I get an event
> for an object with the name “test.txt:Zone.Identifier”, again, to solve
> this I am ignoring files with the string “:Zone.Identifier” in the final
> component.
>
> When I also create a file in the folder (by copy/pasting or right click >
> new > file) I also get some events that later, when opening the file get
> STATUS_OBJECT_NAME_NOT_FOUND…
>
> Is this the correct way to do this? or there is a better approach?
>
> Thanks for any input.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:>

Sorry for the vague description of the problem, in my head it seemed very clear.

Essencialy I have a user appliation that will try to read a list of files inside a particular folder, those files might or might not exist (this is what I meant by perform a read of a missing file).

I was trying to create a minifilter driver that would recieve the “file request”, verify if the file is on disk, and if it isn’t, it would download it.

In order to do that I was filtering IRP_MJ_CREATE requests, and in the Pre-Create I was doing the following:

  1. FltGetFileNameInformation();
  2. FltParseFileNameInformation();
  3. Verify if file belongs to a particular folder;
  4. If so, do FltCreateFile();
  5. Now if, FltCreateFile returns “succes” everything is OK, if returns “status object name not found” I log a message indicating the file is missing and try to download it, if any other error I simply log the error message.

My question is if this is the correct approach for what I want. The reason why I ask this is because I have some problems with false positives.

The logical steps seem OK. The technical requirements not so good.
First of all there are no such things as false positives in such a case. An application is free to call CreateFile with any name they chose to.
The fact that you have some “expectations” for what the names should be in your “watched” folder is your problem.
Also the “:Zone.Identifier” is in fact an alternate data stream and all files could have one or more of those if the file-system supports it. So you should not make a lot of assumptions about those either.

So what I am reading is that you want your user-mode mode process to “wait” in the CreateFile call until the file becomes available and then let go of the create when that file becomes available.
If so, then yes your approach seems OK in terms of logical steps, but there are again several things you need check and decide upon.
You will see indeed a lot of creates being thrown at you. You need to decide on your implementation and for which DesiredAccess you will bring the file to disk.

I believe a more interesting approach would be to create all the files that should be in that folder and mark them as offline, using the FILE_ATTRIBUTE_OFFLINE.
Now, instead of doing all the work in PreCreate you switch to PostCreate and if the file that is being accessed is one you are monitoring and has the OFFLINE attribute set, then you know you need to bring it. So you download it and then let the post-create request finish.

Cheers,
Gabriel
www.kasardia.com