Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Need a simple example for filter driver

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hello All,
Does anyone have an example of a filter driver that will block writes
or reads from
being passed on to the file system. I really need an example to go by. Any
help
would be appreciated !!!!

David Mack

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    You will get a Filemonitor application on the site systeminternals.com
    which a good example of filter driver, .
    -----Original Message-----
    From: David Mack <[email protected]>
    To: File Systems Developers <[email protected]>
    Date: Tuesday, April 11, 2000 10:25 PM
    Subject: [ntfsd] Need a simple example for filter driver


    >
    >Hello All,
    > Does anyone have an example of a filter driver that will block writes
    >or reads from
    >being passed on to the file system. I really need an example to go by.
    Any
    >help
    >would be appreciated !!!!
    >
    >David Mack
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I have looked at that filemon but it doesn't really show me how to cancel a
    write IRP.
    I am definitely doing it wrong cause I'm getting blue screens randomly from
    my driver.
    If anyone has an example of that, maybe that would help.

    What I am looking for is a snippet of code that will do the following.
    Say I want to block all files that have the .dat extension from going to
    hard disk.
    When the IRP comes down to write, I want to check the extension and cancel
    the IRP.

    Even if the example doesn't do this anything close would be of help.
    Once again, thanks for the replies


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]]On Behalf Of Amit Gorantiwar
    Sent: Wednesday, April 12, 2000 5:07 AM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    You will get a Filemonitor application on the site systeminternals.com
    which a good example of filter driver, .
    -----Original Message-----
    From: David Mack <[email protected]>
    To: File Systems Developers <[email protected]>
    Date: Tuesday, April 11, 2000 10:25 PM
    Subject: [ntfsd] Need a simple example for filter driver


    >
    >Hello All,
    > Does anyone have an example of a filter driver that will block writes
    >or reads from
    >being passed on to the file system. I really need an example to go by.
    Any
    >help
    >would be appreciated !!!!
    >
    >David Mack
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_User-35OSR_Community_User-35 Member Posts: 154
    The time the write IRP is received is too late to look at the filename.
    It is not guaranteed to be in the file object. Look at the filename
    during the create IRP, and remember it somehow.

    To avoid confusing applications hopelessly, you may want to check the
    requested access permissions during the create, and fail the create IRP
    if write access is requested. Allowing a file to be opened for write
    access and then failing the writes is ... unconventional?

    I don't know how you're cancelling the IRP -- just complete it with an
    error status.

    You may also have to hook the fast-IO path also -- not all writes use IRPs.

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    HPSO/SSMO (Santa Barbara)
    https://ecardfile.com/id/Dave+Cox


    -----Original Message-----
    From: David Mack [mailto:[email protected]]
    Sent: Wednesday, April 12, 2000 7:42 AM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    I have looked at that filemon but it doesn't really show me how to cancel a
    write IRP.
    I am definitely doing it wrong cause I'm getting blue screens randomly from
    my driver.
    If anyone has an example of that, maybe that would help.

    What I am looking for is a snippet of code that will do the following.
    Say I want to block all files that have the .dat extension from going to
    hard disk.
    When the IRP comes down to write, I want to check the extension and cancel
    the IRP.

    Even if the example doesn't do this anything close would be of help.
    Once again, thanks for the replies


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]]On Behalf Of Amit Gorantiwar
    Sent: Wednesday, April 12, 2000 5:07 AM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    You will get a Filemonitor application on the site systeminternals.com
    which a good example of filter driver, .
    -----Original Message-----
    From: David Mack <[email protected]>
    To: File Systems Developers <[email protected]>
    Date: Tuesday, April 11, 2000 10:25 PM
    Subject: [ntfsd] Need a simple example for filter driver


    >
    >Hello All,
    > Does anyone have an example of a filter driver that will block writes
    >or reads from
    >being passed on to the file system. I really need an example to go by.
    Any
    >help
    >would be appreciated !!!!
    >
    >David Mack
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Is it possible to determine if a file is being copied as opposed to being
    created from scratch in a driver. I will try looking at the create IRP and
    see if that has what I need. I do appreciate everyone's help. I am new to
    driver development so if I am being unconventional it is unintentional I
    assure you.

    david Mack

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]]On Behalf Of COX,DAVID
    (HP-Roseville,ex1)
    Sent: Wednesday, April 12, 2000 12:20 PM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    The time the write IRP is received is too late to look at the filename.
    It is not guaranteed to be in the file object. Look at the filename
    during the create IRP, and remember it somehow.

    To avoid confusing applications hopelessly, you may want to check the
    requested access permissions during the create, and fail the create IRP
    if write access is requested. Allowing a file to be opened for write
    access and then failing the writes is ... unconventional?

    I don't know how you're cancelling the IRP -- just complete it with an
    error status.

    You may also have to hook the fast-IO path also -- not all writes use IRPs.

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    HPSO/SSMO (Santa Barbara)
    https://ecardfile.com/id/Dave+Cox


    -----Original Message-----
    From: David Mack [mailto:[email protected]]
    Sent: Wednesday, April 12, 2000 7:42 AM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    I have looked at that filemon but it doesn't really show me how to cancel a
    write IRP.
    I am definitely doing it wrong cause I'm getting blue screens randomly from
    my driver.
    If anyone has an example of that, maybe that would help.

    What I am looking for is a snippet of code that will do the following.
    Say I want to block all files that have the .dat extension from going to
    hard disk.
    When the IRP comes down to write, I want to check the extension and cancel
    the IRP.

    Even if the example doesn't do this anything close would be of help.
    Once again, thanks for the replies


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]]On Behalf Of Amit Gorantiwar
    Sent: Wednesday, April 12, 2000 5:07 AM
    To: File Systems Developers
    Subject: [ntfsd] Re: Need a simple example for filter driver


    You will get a Filemonitor application on the site systeminternals.com
    which a good example of filter driver, .
    -----Original Message-----
    From: David Mack <[email protected]>
    To: File Systems Developers <[email protected]>
    Date: Tuesday, April 11, 2000 10:25 PM
    Subject: [ntfsd] Need a simple example for filter driver


    >
    >Hello All,
    > Does anyone have an example of a filter driver that will block writes
    >or reads from
    >being passed on to the file system. I really need an example to go by.
    Any
    >help
    >would be appreciated !!!!
    >
    >David Mack
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')

    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi,

    SFILTER from Rajiv Nagar's book "NT FileSystem Internals" can do this it
    taps all the requests going to the mounted volumes.
    All the requests will land on "SFilterDefaultDispatch" routine in dispatch.c
    file.Probably you can filter all write requests and get the
    filename from the fileobject.

    Regards,
    Kishore Inampudi

    >From: "David Mack" <[email protected]>
    >Reply-To: "File Systems Developers" <[email protected]>
    >To: "File Systems Developers" <[email protected]>
    >Subject: [ntfsd] Re: Need a simple example for filter driver
    >Date: Wed, 12 Apr 2000 09:41:33 -0500
    >
    >I have looked at that filemon but it doesn't really show me how to cancel a
    >write IRP.
    >I am definitely doing it wrong cause I'm getting blue screens randomly from
    >my driver.
    >If anyone has an example of that, maybe that would help.
    >
    >What I am looking for is a snippet of code that will do the following.
    >Say I want to block all files that have the .dat extension from going to
    >hard disk.
    >When the IRP comes down to write, I want to check the extension and cancel
    >the IRP.
    >
    >Even if the example doesn't do this anything close would be of help.
    >Once again, thanks for the replies
    >
    >
    >-----Original Message-----
    >From: [email protected]
    >[mailto:[email protected]]On Behalf Of Amit Gorantiwar
    >Sent: Wednesday, April 12, 2000 5:07 AM
    >To: File Systems Developers
    >Subject: [ntfsd] Re: Need a simple example for filter driver
    >
    >
    >You will get a Filemonitor application on the site systeminternals.com
    >which a good example of filter driver, .
    >-----Original Message-----
    >From: David Mack <[email protected]>
    >To: File Systems Developers <[email protected]>
    >Date: Tuesday, April 11, 2000 10:25 PM
    >Subject: [ntfsd] Need a simple example for filter driver
    >
    >
    > >
    > >Hello All,
    > > Does anyone have an example of a filter driver that will block
    >writes
    > >or reads from
    > >being passed on to the file system. I really need an example to go by.
    >Any
    > >help
    > >would be appreciated !!!!
    > >
    > >David Mack
    > >
    > >
    > >---
    > >You are currently subscribed to ntfsd as: [email protected]
    > >To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >

    ______________________________________________________
    Get Your Private, Free Email at http://www.hotmail.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I guess I'm talking about what you mean. If you want to cancel an IRP
    you have to do this :
    IRP->Status = STATUS_ACCESS_DENIED; // or some other error code
    IoCompleteIrp(IRP);
    return STATUS_ACCESS_DENIED;
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE