the scenario: i have a file name “123.txt” with data in it, some usermode process call CreateFile with CREATE_ALWAYS flag will erase my file’s data, and i wan intercept that in minifilter.
my code using is:
`FLT_PREOP_CALLBACK_STATUS
FsFilter2PreOperation (
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{
// pre operation
UNREFERENCED_PARAMETER(CompletionContext);
bool block = false;
FLT_PREOP_CALLBACK_STATUS retStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
auto param = &Data->Iopb->Parameters.Create;
ULONG CreateDispotition = ULONG((param->Options >> 24) & 0xff);
if (Data->RequestorMode == UserMode && FltObjects->FileObject)
{
if (FltObjects->FileObject->FileName.Length > 6 && FltObjects->FileObject->FileName.Buffer)
{
if (wcsstr(FltObjects->FileObject->FileName.Buffer, L"Desktop\\123.txt"))
{
if (FlagOn(CreateDispotition, FILE_OVERWRITE_IF))
{
KdPrint(("123.txt CREATE_ALWAYS detected\n"));
block = true;
}
else if (FlagOn(CreateDispotition, FILE_CREATE))
{
KdPrint(("123.txt CREATE_NEW detected\n"));
block = true;
}
else
{
KdPrint(("123.txt undetected\n"));
}
}
}
}
if (block)
{
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
retStatus = FLT_PREOP_COMPLETE;
}
return retStatus;
}
check CreateDispotition flags was reference from: http://www.osronline.com/article.cfm%5Eearticle=302.htm
but thats not run correctly:
-STATUS_ACCESS_DENIED don't work, usermode app still can open my file and the file is empty after.
-FILE_OVERWRITE_IF triggered many times, even call CloseHandle.
do you have any idea to check call CreateFile(...CREATE_ALWAYS...) exactly? and can totally block that action? pls share if you got something.
thank you!
P/S my user app code to test:
`HANDLE hFile = CreateFile(file_name, GENERIC_WRITE, FILE_SHARE_READ, nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);`