Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to filter the NFS Request using WFP

Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

I need to filter the access Network file system from client machine.
Mainly i need block the file creation and deletion operation
Is there way to do this .

Comments

  • rstruempfrstruempf Member Posts: 103

    That's a pretty broad request, but you can create a File System Minifilter Driver (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-minifilter-drivers), and on the Instance Setup callback (for attaching to a new volume), only attach if it is a network volume. Then any create or delete can be denied.

    Deletes can happen on IRP_MJ_CREATE, with the create option of FILE_DELETE_ON_CLOSE, or an IRP_MJ_SET_INFORMATION with FileInformationClass of either FileDispositionInformation or FileDispositionInformationEx, with the delete flag on. Neither of those guarantees that a delete will occur, but they are requests.

    Creates are more difficult. It will always be IRP_MJ_CREATE, with create disposition of FILE_OPEN_IF or FILE_OVERWRITE_IF, I think. But those are requests to create a file if it doesn't exist, but does not yet know whether it does exist. Someone with more experience will need to tell you how to test that. I imagine you need to open the file yourself to see if it exists, or just change the caller's create disposition to FILE_OPEN/FILE_OVERWRITE and let it fail naturally if the file doesn't already exist.

  • Nikhil_V_SNikhil_V_S Member - All Emails Posts: 58

    @rstruempf thank you
    Actually I tried with a minifilter .
    but i don't know how to find whether the IRP request is from NFS or not
    following block of code is used for blocking creation of "text.txt" file from all the storage device volume .but i need to block the only in NFS .
    how it is possible ?

    FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects , PVOID * CompletionContext)
    {
    ..........................................................................................................
    status=FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED|FLT_FILE_NAME_QUERY_DEFAULT,&FileNameInfos);
    if(FileNameInfos->Name.MaximumLength<260)
    {
    RtlCopyMemory(Name,FileNameInfos->Name.Buffer,FileNameInfos->Name.MaximumLength);
    if(wcsstr(Name,L"TEXT.TXT")!=NULL)
    {
    DbgPrint(" operation %ws blocked \n",Name);
    Data->IoStatus.Status=STATUS_ACCESS_DENIED;
    Data->IoStatus.Information=0;
    FltReleaseFileNameInformation(FileNameInfos);
    return FLT_PREOP_COMPLETE;
    }
    }
    }

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    You can't tell in PreCreate if the file is destined for NFS or not. In post create you can query which network provider ended up handling the open (FsRtlMupGetProviderInfoFromFileObject).

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA