Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


how to block the file creation in FILE_DEVICE_NETWORK_FILE_SYSTEM

Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

I have created an File system mini filter to block the file creation in network file system.
but while creating a file in network file system causes BSOD.

following block code in MiniPrecreate is used for blocking the file operation

           status =FltGetDiskDeviceObject(FltObjects->Volume,&Pdo);
           if(Pdo->DeviceType != FILE_DEVICE_NETWORK_FILE_SYSTEM)
            {
            Data->IoStatus.Status=STATUS_ACCESS_DENIED;
            Data->IoStatus.Information=0;
            FltReleaseFileNameInformation(FileNameInfos);
            return FLT_PREOP_COMPLETE;

            }

how can block the network file system file operatons

Comments

  • Fernando_RobertoFernando_Roberto Member - All Emails Posts: 196

    Shouldn't you check the status variable before using Pdo?
    As far as I can recall, a network file system doesn't have a disk.
    The bug check code would also be helpful.


    Fernando Roberto da Silva
    DriverEntry Kernel Development
    http://www.driverentry.com.br

  • Peter_ScottPeter_Scott Member - All Emails Posts: 749
    via Email
    In addition to the below comments:

    - Set an InstanceSetup callback for mounted volumes.
    - In this callback if the file system type is one you are interested in then allocate a volume context and set it accordingly.
    - In your precreate callback, if you successfully retrieve a volume context then you know it's one you are interested in so fail the request.

    I am guessing you don't want to fail ALL requests to the network, just creates? So check for the appropriate values in the create parameters, etc.

    Pete

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 482

    You need to check if Pdo variable is not somehow NULL and if Status is NT_SUCCESS.
    Try better FltGetVolumeFromFileObject followed by FltGetVolumeProperties.
    From the _FLT_VOLUME_PROPERTIES structure you can deduce where you are.

    But the BEST way to achieve this is to simply register for an InstanceSetup callback and only attach to network file systems.
    InstanceSetup callback conveniently has a parameter "In FLT_FILESYSTEM_TYPE VolumeFilesystemType" and "In DEVICE_TYPE VolumeDeviceType" which you can use and decide if you want to attach or not.
    If you only attach to FILE_DEVICE_NETWORK_FILE_SYSTEM or FILE_DEVICE_NETWORK_REDIRECTOR VolumeDeviceTypes for example you have attached only to network file systems, therefor you know that in your Create callbacks you always have a create which goes to the network and then you just decide what to do with it.

    Cheers,
    Gabriel

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    Thank you all
    I registered InstanceSetup callback and added condition for attaching network volume only.

    NTSTATUS PfltInstanceSetupCallback(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
    {
    NTSTATUS Status;
    if(VolumeDeviceType==FILE_DEVICE_NETWORK_FILE_SYSTEM)
    {
    Status=STATUS_SUCCESS ;
    }
    if(VolumeDeviceType==FILE_DEVICE_DISK_FILE_SYSTEM)
    {
    Status=STATUS_FLT_DO_NOT_ATTACH;
    }

    return Status;
    

    }

    thank you all :smile:

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    I have one more question
    I need to block file creation file deletion and file modification in network file system
    I can block the file creation and deletion using filtering IRP_MJ_SET_INFORMATION and IRP_MJ_CREATE but i need to block the file modification.
    I just tried with blocking all IRP_MJ_WRITE request but it also block the drive accessing.
    how to find the file modification IRP_MJ_WRITE request
    please help

  • rstruempfrstruempf Member Posts: 103

    Blocking Write should not do anything other than stop files from being written, which is what you want. If you are specifically concerned about files, check the file object to make sure it is a file, not a directory. If everything is being blocked, it is undoubtedly your IRP_MJ_CREATE blocking doing that. IRP_MJ_CREATE is difficult to filter, because lazy or generalized code opens with permissions they don't need.

    I would only check for specific actions such as create options FILE_DELETE_ON_CLOSE, or create disposition FILE_OVERWRITE or FILE_OVERWRITE_IF. Alternatively, you could change the desired access and create disposition to not include items you don't want, such as write access, and then let the create fail on them. I chose not to do that because as I said, filtering IRP_MJ_CREATE, when you don't really know what you have, is difficult.

    There are many ways to modify a file besides writing to it or truncating it on open. For example: IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION with PageProtection of one of the PAGE_WRITE values, IRP_MJ_SET_INFORMATION setting File Disposition Info to delete, renaming, or changing the end of file, etc. (but not all IRP_MJ_SET_INFORMATION!).

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA