Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

minispy versus delete minifilter

shanthikpshanthikp Member Posts: 7

I am trying to write a auditing minifilter that tracks file & directory open/close/read/write/delete/rename operations on a volume. Minispy on github seems to have most of what I need but then I noticed that MSFT has also released delete minifilter specifically to track file deletes.
can I deduce file deletes from user-space based on information captured by minispy minifilter driver ?

1: IRP_MJ_CREATE with DELETE_ON_CLOSE

2: IRP_MJ_SET_INFORMATION with FileDeleteDisposition class

3: IRP_MJ_CLEANUP

I will check if file is deleted from user-space for each of the above 3 cases to deduce deletes.
I am primarily a Linux developer though I have done some windows user-space coding. so I prefer to do as little of windows kernel coding as possible and I don't want to maintain two drivers if I don't have to. will it work or are there cases that the delete minifilter catches that minispy doesn't ??

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 226
    via Email
    Delete minifilter has a different purpose (I reckon Undelete?), so it
    needs to track deletes more precisely.

    For audit purposes, it is less tricky, but you have to catch those 3
    cases anyway (for the purpose of auditing, you don't need to track
    anything but FILE_FLAG_DELETE_ON_CLOSE, but for an Undelete you have
    to track Disposition state, or query during Cleanup).
  • shanthikpshanthikp Member Posts: 7

    Thank you Dejan.

  • rstruempfrstruempf Member Posts: 103

    @Dejan_Maksimovic said:
    For audit purposes, it is less tricky, but you have to catch those 3
    cases anyway (for the purpose of auditing, you don't need to track
    anything but FILE_FLAG_DELETE_ON_CLOSE, but for an Undelete you have
    to track Disposition state, or query during Cleanup).

    I've seen apps open normal, and then use SetInformation to mark the file for delete.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 226

    Track was the key word. Audit need not track either, only monitor them.
    But I do see how that would more than easily be misinterpreted, thanks for chiming in.

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 99

    Checkout this one from OSR it will help.
    https://github.com/OSRDrivers/deleteex

  • shanthikpshanthikp Member Posts: 7

    I modified minispy to capture the DELETE_ON_CLOSE and Disposition state like so

    +#define DF_PRINT( ... )                                                      \
    +    DbgPrintEx( DPFLTR_FLTMGR_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__ )
    ...
    +VOID
    +SpyLogExtraFlags(
    +       _In_ PFLT_CALLBACK_DATA Data,
    +       _Inout_ PRECORD_LIST RecordList
    +)
    +{
    +       PRECORD_DATA recordData = &RecordList->LogRecord.Data;
    +       recordData->ExtraFlags = 0; // clear the flags
    +       DF_PRINT("Setting extra flags");
    +       switch (Data->Iopb->MajorFunction) {
    +               case IRP_MJ_CREATE:
    +                       DF_PRINT("Create options %ld", Data->Iopb->Parameters.Create.Options);
    +                       if (FlagOn(Data->Iopb->Parameters.Create.Options,
    +                                      FILE_DELETE_ON_CLOSE)) {
    +                               recordData->ExtraFlags |= RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE;
    +                       }
    +                       break;
    +               case IRP_MJ_SET_INFORMATION:^M
    +                       DF_PRINT("Set info fic %d", Data->Iopb->Parameters.SetFileInformation.FileInformationClass);
    +                       switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
    +                               case FileDispositionInformation:
    +                               case FileDispositionInformationEx:
    +                                       recordData->ExtraFlags |= RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE;
    +                                       break;
    +                               default:
    +                                       break;
    +                       }
    +               default:
    +                       // nothing to do
    +                       DF_PRINT("Neither create or set %d", Data->Iopb->MajorFunction);
    +                       break;
    +       }
    +}
    

    and I call this function right after minispy logs the record data

             SpyLogPreOperationData( Data, FltObjects, recordList );
    
    +               //
    +               // Set extra flags like check for delete
    +               //
    +               SpyLogExtraFlags(Data, recordList);
    +
    

    and finally I modified the RecordData to return the ExtraFlags to user-space

     //
    +// Extra flags to signal user-space to check for file delete etc.,
    +//
    +#define RECORD_DATA_EXTRA_FLAGS_CHECK_DELETE     0x1
    +
     //  The fixed data received for RECORD_TYPE_NORMAL
     //
    
    @@ -120,7 +124,8 @@ typedef struct _RECORD_DATA {
    
         UCHAR CallbackMajorId;
         UCHAR CallbackMinorId;
    -    UCHAR Reserved[2];      // Alignment on IA64
    +       UCHAR ExtraFlags;    // check for delete etc.,
    +    UCHAR Reserved;      // Alignment on IA64
    
         PVOID Arg1;
         PVOID Arg2;
    

    but minispy.exe always return ExtraFlags as zero even though I clearly deleted the file from windows explorer (right click, delete file).

    • I do see some IRP_MJ_CREATE & IRP_MJ_CLEANUPs being generated when I delete but the ExtraFlags that I set in minispy filter driver always stays at 0x0.
    • Another annoying thing is that the dbg statements I added in minispy filter driver don't show up in DbgView (yes I am running it as administrator).
    • anything I can try? thanks everyone for your help
  • shanthikpshanthikp Member Posts: 7

    I am now able to see the dbg statements I added in minispy filter driver. I needed to use a Debug build instead of Release in Visual Studio

  • shanthikpshanthikp Member Posts: 7

    the above code seems to work after I cleaned my project, uninstalled and re-installed the minifilter. so thanks everyone for the help.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA