minispy versus delete minifilter

I am trying to write a auditing minifilter that tracks file & directory open/close/read/write/delete/rename operations on a volume. Minispy on github seems to have most of what I need but then I noticed that MSFT has also released delete minifilter specifically to track file deletes.
can I deduce file deletes from user-space based on information captured by minispy minifilter driver ?
#1: IRP_MJ_CREATE with DELETE_ON_CLOSE
#2: IRP_MJ_SET_INFORMATION with FileDeleteDisposition class
#3: IRP_MJ_CLEANUP
I will check if file is deleted from user-space for each of the above 3 cases to deduce deletes.
I am primarily a Linux developer though I have done some windows user-space coding. so I prefer to do as little of windows kernel coding as possible and I don’t want to maintain two drivers if I don’t have to. will it work or are there cases that the delete minifilter catches that minispy doesn’t ??

Delete minifilter has a different purpose (I reckon Undelete?), so it
needs to track deletes more precisely.

For audit purposes, it is less tricky, but you have to catch those 3
cases anyway (for the purpose of auditing, you don’t need to track
anything but FILE_FLAG_DELETE_ON_CLOSE, but for an Undelete you have
to track Disposition state, or query during Cleanup).

Thank you Dejan.

@Dejan_Maksimovic said:
For audit purposes, it is less tricky, but you have to catch those 3
cases anyway (for the purpose of auditing, you don’t need to track
anything but FILE_FLAG_DELETE_ON_CLOSE, but for an Undelete you have
to track Disposition state, or query during Cleanup).
I’ve seen apps open normal, and then use SetInformation to mark the file for delete.

Track was the key word. Audit need not track either, only monitor them.
But I do see how that would more than easily be misinterpreted, thanks for chiming in.

Checkout this one from OSR it will help.
https://github.com/OSRDrivers/deleteex

I modified minispy to capture the DELETE_ON_CLOSE and Disposition state like so

+#define DF_PRINT( ... )                                                      \
+    DbgPrintEx( DPFLTR_FLTMGR_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__ )
...
+VOID
+SpyLogExtraFlags(
+       _In_ PFLT_CALLBACK_DATA Data,
+       _Inout_ PRECORD_LIST RecordList
+)
+{
+       PRECORD_DATA recordData = &RecordList->LogRecord.Data;
+       recordData->ExtraFlags = 0; // clear the flags
+       DF_PRINT("Setting extra flags");
+       switch (Data->Iopb->MajorFunction) {
+               case IRP_MJ_CREATE:
+                       DF_PRINT("Create options %ld", Data->Iopb->Parameters.Create.Options);
+                       if (FlagOn(Data->Iopb->Parameters.Create.Options,
+                                      FILE_DELETE_ON_CLOSE)) {
+                               recordData->ExtraFlags |= RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE;
+                       }
+                       break;
+               case IRP_MJ_SET_INFORMATION:^M
+                       DF_PRINT("Set info fic %d", Data->Iopb->Parameters.SetFileInformation.FileInformationClass);
+                       switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
+                               case FileDispositionInformation:
+                               case FileDispositionInformationEx:
+                                       recordData->ExtraFlags |= RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE;
+                                       break;
+                               default:
+                                       break;
+                       }
+               default:
+                       // nothing to do
+                       DF_PRINT("Neither create or set %d", Data->Iopb->MajorFunction);
+                       break;
+       }
+}

and I call this function right after minispy logs the record data

         SpyLogPreOperationData( Data, FltObjects, recordList );

+               //
+               // Set extra flags like check for delete
+               //
+               SpyLogExtraFlags(Data, recordList);
+

and finally I modified the RecordData to return the ExtraFlags to user-space

 //
+// Extra flags to signal user-space to check for file delete etc.,
+//
+#define RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE     0x1
+
 //  The fixed data received for RECORD_TYPE_NORMAL
 //

@@ -120,7 +124,8 @@ typedef struct _RECORD_DATA {

     UCHAR CallbackMajorId;
     UCHAR CallbackMinorId;
-    UCHAR Reserved[2];      // Alignment on IA64
+       UCHAR ExtraFlags;    // check for delete etc.,
+    UCHAR Reserved;      // Alignment on IA64

     PVOID Arg1;
     PVOID Arg2;

but minispy.exe always return ExtraFlags as zero even though I clearly deleted the file from windows explorer (right click, delete file).

  • I do see some IRP_MJ_CREATE & IRP_MJ_CLEANUPs being generated when I delete but the ExtraFlags that I set in minispy filter driver always stays at 0x0.
  • Another annoying thing is that the dbg statements I added in minispy filter driver don’t show up in DbgView (yes I am running it as administrator).
  • anything I can try? thanks everyone for your help

I am now able to see the dbg statements I added in minispy filter driver. I needed to use a Debug build instead of Release in Visual Studio

the above code seems to work after I cleaned my project, uninstalled and re-installed the minifilter. so thanks everyone for the help.