Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How can I block the File execution Using legacy file system filter driver

Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

I able to block the Application using minifilter by blocking IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION call back .
Is it Possible to block the same in legacy file system filter driver

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,845

    Don’t you want to post this to the NTFSD category?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Fernando_RobertoFernando_Roberto Member - All Emails Posts: 196

    What about using PsSetCreateProcessNotifyRoutineEx routine?

    Regards,

    Fernando Roberto da Silva
    DriverEntry Kernel Development
    http://www.driverentry.com.br


    Fernando Roberto da Silva
    DriverEntry Kernel Development
    http://www.driverentry.com.br

  • anton_bassovanton_bassov Member Posts: 5,159

    What about using PsSetCreateProcessNotifyRoutineEx routine?

    This is just a notification routine, so that it does not offer an option of telling the system whether it should proceed with the process creation. Certainly, you can try to terminate the process in question at some later stage once you have been informed about it, but this option is, probably, not really the optimal one. However, if you prevent the creation of the target executable section, a caller of ZwCreateProcess() is going to be unable to provide a valid handle to executable section, which happens to be a crucial parameter to the process creation (a newly-created process has to inherit the address space of some existing process if it is NULL) . As a result, you will prevent a process that is based the target executable image from being created, and do it at the earliest possible stage.

    However, the amount of work required for writing a FS filter is simply incomparable to the one that the solution based upon PsSetCreateProcessNotifyRoutineEx() involves. Many years ago (back in pre-Vista days) I used to block the process creation by means of hooking ZwCreateSection() system call, but these days such a solution would be considered worse than a sub-par one. Therefore, the OP should at least take your suggestion into consideration if he wants to make his project work within a visible timeframe

    Anton Bassov

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/ns-ntddk-_ps_create_notify_info

    You can also take advantage of FsRtlRegisterFileSystemFilterCallbacks and register the PreAcquireForSectionSynchronization callback.
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-fsrtlregisterfilesystemfiltercallbacks
    Parameters of the callback quite reflects the minifilter world.

    Martin Dráb

  • anton_bassovanton_bassov Member Posts: 5,159

    PsSetCreateProcessNotifyRoutineEx actually enables you to block process creation (unlike the its non-Ex variant).

    Probably I just got the OP wrong, but the way I understood him, he wants to implement process-blocking functionality on some ancient system. Otherwise, his original question does not really make any sense - he already knows that it can be done by minifilter, but still he asks how it can be done by a legacy one. Assuming that he is speaking about some pre-Vista system, this functionality is unavailable
    (in fact, as well as Ex variant, in the first place - I just overlooked "...Ex" part).....

    Anton Bassov

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    thank you all

    Actually I need to block the application in windows 7 and later OS
    I am using legacy file system driver for my project.Is it possible with legacy driver ?

  • anton_bassovanton_bassov Member Posts: 5,159

    Actually I need to block the application in windows 7 and later OS
    I am using legacy file system driver for my project.Is it possible with legacy driver ?

    Assuming that your target platform supports PsSetCreateProcessNotifyRoutineEx() ,who holds you back from using it in your existing legacy FS filter driver? It seems to be the easiest way to go,don't you think?

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA