Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Tracking File/Directory Creates for an Auditing Minifilter

shanthikpshanthikp Member Posts: 7
edited April 15 in NTFSD

I am trying to develop an auditing minifilter that captures all file/dir/share create/delete/rename/read/writes occurring on a volume. I followed the minispy code that MSFT released and made the following modifications to identify file/dir creates. I replaced the handler for IRP_MJ_CREATE with the following handler


<br />FLT_PREOP_CALLBACK_STATUS
#pragma warning(suppress: 6262) // higher than usual stack usage is considered safe in this case
SpyPreCreateOperationCallback(
    _Inout_ PFLT_CALLBACK_DATA Data,
    _In_ PCFLT_RELATED_OBJECTS FltObjects,
    _Flt_CompletionContext_Outptr_ PVOID *CompletionContext
) {
    BOOLEAN interested = FALSE;
    ULONG createOptions = Data->Iopb->Parameters.Create.Options;
    UCHAR disp = (createOptions >> 24) & 0xFF;
    if (
        FlagOn(createOptions, FILE_DELETE_ON_CLOSE) ||
        disp == FILE_SUPERSEDE ||
        disp == FILE_CREATE ||
        disp == FILE_OPEN_IF ||
        disp == FILE_OVERWRITE_IF) {
        // We are only interested in creates & delete.
        // 
        // All of the above disposition values can potentially create the file.
        // Whether the file was actually created or a existing file was opened can
        // only be determined in PostOperationCallback via IoStatus.Information
        //
        interested = TRUE;
    }

   if (interested) {
        // Follow the minispy path as before.
       return SpyPreOperationCallback(Data, FltObjects, CompletionContext);
  } else {
      // We are not interested. Don't call the PostOp callback.
      *CompletionContext = NULL;
       return FLT_PREOP_SUCCESS_NO_CALLBACK;
   }


In user-space I check the IOStatus.information == FILE_CREATED to verify that the file was actually created and not just opened or overwritten. It seems to work from the shell and windows explorer but I am not sure if this code catches all possible ways in which files can be created. Feedback is welcome..

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,038

    Your code says that you are interested in deletes. I assume that is work in progress (you'll need much more for that).

    As for your question three things (at least) spring to mind, depending on whether you care about files or about directory entries:

    • Rename creates and deletes directory entries
    • Hard link creation creates directory entries
    • Sort of as an extreme, aborting a transaction which deleted (or renamed) a file can (kinda-sorta) cause the file to be created.

    There is almost certainly more.

  • shanthikpshanthikp Member Posts: 7

    yes delete/rename is WIP. what IRP does hard link creation generate ??

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,038

    what IRP does hard link creation generate

    IRP_MJ_SET_INFORMATION / FileLinkInformation

    Hard link creation is like rename, but without the DIRENT deletion

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA