Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Detecting Folder(Directory) deletion in minifilter

SiemensSiemens Member Posts: 5

Hi everybody,
I want to detect Folder(Directory) is deletion/Renaming on Windows.
How can i detect ??
Thank you.

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,482

    How much research have you done? Do you know how to detect a file delete or rename?

    -scott
    OSR

  • SiemensSiemens Member Posts: 5
    edited April 2021

    Yes. This is detect file deletion, and it's Ok.

    **
    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(_Inout
    PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);
    PAGED_CODE();
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
    if (IsDir) {
    return ret;
    }
    }

    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }**_

  • SiemensSiemens Member Posts: 5

    Yes. This is detect file deletion and its Ok.

    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(Inout PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);

    PAGED_CODE();
    
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    
    // https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-create
    // When the system tries to open a handle to a file object,
    // detect requests that have DELETE_ON_CLOSE in DesiredAccess
    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,482
    1. This code checks to see if it's a directory and leaves if it is...Are you hitting that path?
    2. You can't delete non-empty directories so you'll see each file get deleted before the directory does

    -scott
    OSR

  • SiemensSiemens Member Posts: 5

    Yes. This is detect file deletion and it's Ok.
    **_
    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(Inout PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);

    PAGED_CODE();
    
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    
    // https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-create
    // When the system tries to open a handle to a file object,
    // detect requests that have DELETE_ON_CLOSE in DesiredAccess
    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }_**

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,482

    The code starts with this:

    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    

    Are you hitting that code path?

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online