Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have created an File system mini filter to block the file creation in network file system.
but while creating a file in network file system causes BSOD.
following block code in MiniPrecreate is used for blocking the file operation
status =FltGetDiskDeviceObject(FltObjects->Volume,&Pdo); if(Pdo->DeviceType != FILE_DEVICE_NETWORK_FILE_SYSTEM) { Data->IoStatus.Status=STATUS_ACCESS_DENIED; Data->IoStatus.Information=0; FltReleaseFileNameInformation(FileNameInfos); return FLT_PREOP_COMPLETE; }
how can block the network file system file operatons
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
Internals & Software Drivers | 25 Jan 2021 | LIVE ONLINE |
Developing Minifilters | 8 March 2021 | LIVE ONLINE |
Comments
Shouldn't you check the status variable before using Pdo?
As far as I can recall, a network file system doesn't have a disk.
The bug check code would also be helpful.
—
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br
- Set an InstanceSetup callback for mounted volumes.
- In this callback if the file system type is one you are interested in then allocate a volume context and set it accordingly.
- In your precreate callback, if you successfully retrieve a volume context then you know it's one you are interested in so fail the request.
I am guessing you don't want to fail ALL requests to the network, just creates? So check for the appropriate values in the create parameters, etc.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
You need to check if Pdo variable is not somehow NULL and if Status is NT_SUCCESS.
Try better FltGetVolumeFromFileObject followed by FltGetVolumeProperties.
From the _FLT_VOLUME_PROPERTIES structure you can deduce where you are.
But the BEST way to achieve this is to simply register for an InstanceSetup callback and only attach to network file systems.
InstanceSetup callback conveniently has a parameter "In FLT_FILESYSTEM_TYPE VolumeFilesystemType" and "In DEVICE_TYPE VolumeDeviceType" which you can use and decide if you want to attach or not.
If you only attach to FILE_DEVICE_NETWORK_FILE_SYSTEM or FILE_DEVICE_NETWORK_REDIRECTOR VolumeDeviceTypes for example you have attached only to network file systems, therefor you know that in your Create callbacks you always have a create which goes to the network and then you just decide what to do with it.
Cheers,
Gabriel
Thank you all
I registered InstanceSetup callback and added condition for attaching network volume only.
NTSTATUS PfltInstanceSetupCallback(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
NTSTATUS Status;
if(VolumeDeviceType==FILE_DEVICE_NETWORK_FILE_SYSTEM)
{
Status=STATUS_SUCCESS ;
}
if(VolumeDeviceType==FILE_DEVICE_DISK_FILE_SYSTEM)
{
Status=STATUS_FLT_DO_NOT_ATTACH;
}
}
thank you all
I have one more question
I need to block file creation file deletion and file modification in network file system
I can block the file creation and deletion using filtering IRP_MJ_SET_INFORMATION and IRP_MJ_CREATE but i need to block the file modification.
I just tried with blocking all IRP_MJ_WRITE request but it also block the drive accessing.
how to find the file modification IRP_MJ_WRITE request
please help
Blocking Write should not do anything other than stop files from being written, which is what you want. If you are specifically concerned about files, check the file object to make sure it is a file, not a directory. If everything is being blocked, it is undoubtedly your IRP_MJ_CREATE blocking doing that. IRP_MJ_CREATE is difficult to filter, because lazy or generalized code opens with permissions they don't need.
I would only check for specific actions such as create options FILE_DELETE_ON_CLOSE, or create disposition FILE_OVERWRITE or FILE_OVERWRITE_IF. Alternatively, you could change the desired access and create disposition to not include items you don't want, such as write access, and then let the create fail on them. I chose not to do that because as I said, filtering IRP_MJ_CREATE, when you don't really know what you have, is difficult.
There are many ways to modify a file besides writing to it or truncating it on open. For example: IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION with PageProtection of one of the PAGE_WRITE values, IRP_MJ_SET_INFORMATION setting File Disposition Info to delete, renaming, or changing the end of file, etc. (but not all IRP_MJ_SET_INFORMATION!).