Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How can I block the File execution Using legacy file system filter driver

Nikhil_V_SNikhil_V_S Member - All Emails Posts: 55

I able to block the Application using minifilter by blocking IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION call back .
Is it Possible to block the same in legacy file system filter driver

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,251

    Don’t you want to post this to the NTFSD category?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Fernando_RobertoFernando_Roberto Member - All Emails Posts: 190

    What about using PsSetCreateProcessNotifyRoutineEx routine?

    Regards,

    Fernando Roberto da Silva
    DriverEntry Kernel Development
    http://www.driverentry.com.br


    Fernando Roberto da Silva
    DriverEntry Kernel Development
    http://www.driverentry.com.br

  • anton_bassovanton_bassov Member Posts: 5,003

    What about using PsSetCreateProcessNotifyRoutineEx routine?

    This is just a notification routine, so that it does not offer an option of telling the system whether it should proceed with the process creation. Certainly, you can try to terminate the process in question at some later stage once you have been informed about it, but this option is, probably, not really the optimal one. However, if you prevent the creation of the target executable section, a caller of ZwCreateProcess() is going to be unable to provide a valid handle to executable section, which happens to be a crucial parameter to the process creation (a newly-created process has to inherit the address space of some existing process if it is NULL) . As a result, you will prevent a process that is based the target executable image from being created, and do it at the earliest possible stage.

    However, the amount of work required for writing a FS filter is simply incomparable to the one that the solution based upon PsSetCreateProcessNotifyRoutineEx() involves. Many years ago (back in pre-Vista days) I used to block the process creation by means of hooking ZwCreateSection() system call, but these days such a solution would be considered worse than a sub-par one. Therefore, the OP should at least take your suggestion into consideration if he wants to make his project work within a visible timeframe

    Anton Bassov

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 46

    PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/ns-ntddk-_ps_create_notify_info

    You can also take advantage of FsRtlRegisterFileSystemFilterCallbacks and register the PreAcquireForSectionSynchronization callback.
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-fsrtlregisterfilesystemfiltercallbacks
    Parameters of the callback quite reflects the minifilter world.

    Martin Dráb

  • anton_bassovanton_bassov Member Posts: 5,003

    PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).

    Probably I just got the OP wrong, but the way I understood him, he wants to implement process-blocking functionality on some ancient system. Otherwise, his original question does not really make any sense - he already knows that it can be done by minifilter, but still he asks how it can be done by a legacy one. Assuming that he is speaking about some pre-Vista system, this functionality is unavailable
    (in fact, as well as Ex variant, in the first place - I just overlooked "...Ex" part).....

    Anton Bassov

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 55

    thank you all

    Actually I need to block the application in windows 7 and later OS
    I am using legacy file system driver for my project.Is it possible with legacy driver ?

  • anton_bassovanton_bassov Member Posts: 5,003

    Actually I need to block the application in windows 7 and later OS
    I am using legacy file system driver for my project.Is it possible with legacy driver ?

    Assuming that your target platform supports PsSetCreateProcessNotifyRoutineEx() ,who holds you back from using it in your existing legacy FS filter driver? It seems to be the easiest way to go,don't you think?

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA