How can I identify write file operations in PreWrite callback?

rsalvarez280 · March 12, 2019, 3:47pm

Hi all.

I’m doing a concept test and I have developed a minifilter to control all the write operations in an specific file. For now the minifilter only write the data received in another file to compare with the original one, only for test pourposes. If it works I will to do more things with the data received. A user program write line by line the file contents and the minifilter recive each line and write this lines in another file. Easy but I reveive the same line more than one time and I don’t know why. I write traces in the minifilter trying to understand what is happening but I am not able to understand.

First of all I checked if the file to read from user program is the file I need to monitorize. If not, I return FLT_PREOP_SUCCESS_NO_CALLBACK and don’t do anything.
If the file is the file needed, then I first checked that Iopb->IrpFlags had the IRP_WRITE_OPERATION flag but doing this not only write operations was received in the minifilter.
In the second try, I changed the flag to check to IRP_NOCACHE. If this flag is not setted I didn’t do anything returning FLT_PREOP_SUCCESS_NO_CALLBACK. In this case, the minifilter didn’t receive any write operations. So I have changed again and now I are checking if IRP_NOCACHE is not set. If it is set, I don’t do anything and return FLT_PREOP_SUCCESS_NO_CALLBACK. If it is not set, I write the data received in the file to compare later. Now the minifilter receive all the write operations, but some of this operations have the same data. It’s like one write operations is received two times. I have write traces with the flags recieved in all operations and I have this:

XFS-PreWrite: Flags: 0x60A00.
XFS-PreWrite: Writing 42.
XFS-PreWrite: Flags: 0x0.
XFS-PreWrite: Writing 82.
XFS-PreWrite: Flags: 0x60A00.
XFS-PreWrite: Writing 82.

The first line has 42 bytes and is correct.
The second has the flags as 0. What does it means?
The third is the same line as the second, but It is received with 0x60A00 flags.

It has no sense for me.

So, the question is: How can I identify the real write operations? Do I need to check something more? The minifilter documentation is difficult to understand for me. I haven’t enought experience in kernel development.

Regards.

rsalvarez280 · March 14, 2019, 11:07am

I have found a solution and although it is not very elegant, it works. The only parameter I see that identifies the duplicated write lines is

Data->Iopb->Parameters.Write.ByteOffset

The two consecutive lines received in the pre write call has the same ByteOffset because they are the same WriteFile user application execution, so I save each offset of each preWrite callback received and compare with the previous callback received. If the offsets are equals, I don’t process this line and return FLT_PREOP_SUCCESS_NO_CALLBACK.

I suspect that there would be another way to identify the same writing operations, but I have been reading, researching and testing for several days and I am not able to find the differences.

have anybody got any idea?