Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Best way to detect file copies in minifilters?

henrik_meidahenrik_meida Member Posts: 117
edited December 2021 in NTFSD

Hi everyone,

I have a minifilter, and i want to detect file copies in it. Meaning, whether or not this pre create, pre write, etc callback that is invoked, is for a copy operation or not?

What is the best way to achieve this? Maybe there are some type of flags in the arguments or in the FILE_OBJECT ( i assume the copy will get a new FILE_OBJECT, right?) that is different from creating a brand new file? Or maybe the only way is to keep a list of recently read files and check to see if this new file that is being created is in it or not?

Any suggestion is appreciated!

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,846

    First, this belongs NTFSD not NTDEV. I’ll move it.

    You’re correct: There’s no perfect way to detect calls to one of the CopyFile APIs, because they are all implemented as open, read, and write. So, you need some sort of heuristic. Try flagging the same thread doing an open, a read, a create, and a write… all within some finite period of time. If you’re looking specifically for Explorer, you can also check for this process.

    This is a very, very, common request. But it’s also a flawed request: Let’s say Windows provided a special flag to warn us a given file is being copied with CopyFile. This would be easily bypassed by an app just not using the API and manually opening the file, reading it, and opening the target file and writing it.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • HHosseinKHHosseinK Member Posts: 6

    Just heuristic way can do this, see IRP_NO_CACHE flag in Read/Write , Make sure all your Read/Write are volume sector size multiples in size.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online