In PostCreate check the Status of the operation in Data->IoStatus.Status.
The fact that you got in PostCreate and FileObject fields are NULL it most
likely means that the operation has failed.
Anyway, there is no way you can prevent that duplication from happening. Of
course you could if you were part of the Ob callbacks,
which are only now supported to Process and Thread objects (not file
objects), but even then, what you would get is a handle with 0 access. So
basically you
cannot do that. Handle creation is managed by the Ob Manager and has no
ties with the file system specifically, hence you cannot control it
from a minifilter.
But the more fundamental question you should ask yourself, and maybe answer
to us is what are you trying to achieve and also why would an
operating system mechanic or feature, part of the Ob Manager in this case,
which is supposed to work system wide bother you in your development.
Your filter or your driver in general should be able to run and in the same
time everything that the operating system has to offer still needs to work.
Your encryption filter simply cannot depend on a process calling
DuplicateHandle, furthermore, there could be a lower filter making this
system call without
you even knowing about it.
As I see it you create a handle, in the minifilter which is valid in a
subsequent PreCreate. I would obtain the file object ( of the handle I
created ), and close the
handle myself and then use the FltCalls and FileObjects instead of handles.
So if you forward the preCreate and it should fail, you simply dereference
your file object.
The call that you see to DuplicateHandle suggests to me that most likely
you are leaking the handle somehow or close it yourself rather than
Kaspersky “stealing it”
and closing it themselves, otherwise why would they call DuplicateHandle. I
doubt they parse the process handle table and close all handles that refer
to the failed
Create. That would be highly risky, unstable and cannot possibly
synchronize it. Also if that is a kernel handle there is no process table
to associate it as it work in km
only ( which is probably the case here ).
Anyway, make sure you are not the one leaking/closing the handle
unexpectedly somehow. Maybe the Create is denied by Kaspersky and you make
assumptions that it would
work. There is not a lot of info you gave us on that so all I can do is
speculate.
Regards,
Gabriel
On Mon, May 28, 2018 at 11:49 AM xxxxx@gmail.com
wrote:
> Hi, thanks Gabriel & Scott
>
> I understand there is a FltObjects->FileObject in postCreate with null
> parameters except FileName.
> We call FltSetStreamHandleContext for this fileObject, but returns
> STATUS_NOT_SUPPORTED (because FsContext is null). I try to prevent this
> call. Now, save in file is successful.
>
> APIMonitor logs show NtDuplicateObject before this CreateFile over the
> handle. How can prevent from DuplicateHandle in minifilter driver???
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Bercea. G.</http:>