Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Help on Minifilter.

jay96612jay96612 Member Posts: 44

I am using a mini-filter driver to block the file access. The JSON rules come from the server and need to process and after then it will decide whether that file would be blocked or Not? so I am thinking of the following approach:

  • From MiniPreRead/Write send filePath from kernel mode to user mode using FltSendMessage and wait for the reply. If the reply is 1 then block the file access else Allow.
    The user-mode process that JSON and then Gives the reply as a bool. Processing JSON in user mode might take 1-5 sec or even more sometimes.

So should I go with this approach?

would it be inefficient in some way?

If this approach is not good then please suggest any efficient way for doing it.

I am very thankful for the OSR community and waiting for some valuable suggestions.

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 435
    via Email
    Purpose?
    If this is for a single file, where performance is of no issue
    (literally, if the performance is of NO IMPORTANCE AT ALL), then it is
    .... not good :) Because FltSendMessage might not be able to run in
    Read/Write, and you will also miss memory mapped reads/writes
    (depending on the purpose, the latter may not matter).

    But seriously, 1-5seconds? Even if that is only during file open,
    consider whether you would be OK with such a wait for a file open,
    then reconsider the approach.

    Dejan.

    >
    > I am using a mini-filter driver to block the file access. The JSON rules
    > come from the server and need to process and after then it will decide
    > whether that file would be blocked or Not? so I am thinking of the following
    > approach:
    >
    > * From MiniPreRead/Write send filePath from kernel mode to user mode using
    > FltSendMessage and wait for the reply. If the reply is 1 then block the
    > file access else Allow.
    >
    > The user-mode process that JSON and then Gives the reply as a bool.
    > Processing JSON in user mode might take 1-5 sec or even more sometimes.
    >
    > So should I go with this approach?
    >
    > would it be inefficient in some way?
    >
    > If this approach is not good then please suggest any efficient way for doing
    > it.
  • jay96612jay96612 Member Posts: 44

    @Dejan_Maksimovic The purpose is to block file access by any browser application. For eg., If someone tries to access the file from chrome then depending on the rules action will take place.

    If that is not a good approach then what should I do now?
    Assume that there are a set of rules in JSON format. so how can efficiently do in kernel mode or any efficient way for doing it?

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 435
    via Email
    1. Anything beyond a few milliseconds for a file OPEN is too long, unless
    it is a second or so per downloaded file I guess. But per READ/WRITE, it
    will be too much to even prolong by 10ms.
    2. Do any check in PostOpen only. You can prevent access then if needed,
    but do not take a few seconds per open, as it will annoy users a lot.


    @Dejan_Maksimovic The purpose is to block file access by any browser
  • jay96612jay96612 Member Posts: 44

    @Dejan_Maksimovic I want to block the file open access for a particular process. so doing check in Post-Create would be useless as the content have been already lost.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 435
    via Email
    I said PostOpen.
    But there are several others, depending on the particular requirement.


    > @Dejan_Maksimovic I want to block the file open access for a particular
    > process. so doing check in Post-Create would be useless as the content have
    > been already lost.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450

    PostCreate comes before read and write so I'm not sure about your point.

    Please spend time playing with the avscan sample so you can gain some better understanding.

    -scott
    OSR

  • jay96612jay96612 Member Posts: 44

    @Scott_Noone_(OSR) @Dejan_Maksimovic Thank you for the suggestion. I am trying with your suggestion. I will let you know once done.

  • MBond2MBond2 Member Posts: 330

    unless you can very narrowly define the class of files / processes that you want to protect access to / from, and let all others passthrough quickly, the exact callback or IO model to use seems irrelevant unless you can do something about the 5 second time to check. If this kind of check gets done on every file on a C drive, the user would experience 486 like performance - maybe worse.

    an obvious improvement would be not to use JSON. or maybe to use it only as the 'storage' format for your rules, but implement something better in memory. without knowing more about what you are trying to achieve it seems hard to help much

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online