Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Detecting Folder(Directory) deletion in minifilter

SiemensSiemens Member Posts: 5

Hi everybody,
I want to detect Folder(Directory) is deletion/Renaming on Windows.
How can i detect ??
Thank you.

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450

    How much research have you done? Do you know how to detect a file delete or rename?

    -scott
    OSR

  • SiemensSiemens Member Posts: 5
    edited April 13

    Yes. This is detect file deletion, and it's Ok.

    **
    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(_Inout
    PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);
    PAGED_CODE();
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
    if (IsDir) {
    return ret;
    }
    }

    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }**_

  • SiemensSiemens Member Posts: 5

    Yes. This is detect file deletion and its Ok.

    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(Inout PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);

    PAGED_CODE();
    
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    
    // https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-create
    // When the system tries to open a handle to a file object,
    // detect requests that have DELETE_ON_CLOSE in DesiredAccess
    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450
    1. This code checks to see if it's a directory and leaves if it is...Are you hitting that path?
    2. You can't delete non-empty directories so you'll see each file get deleted before the directory does

    -scott
    OSR

  • SiemensSiemens Member Posts: 5

    Yes. This is detect file deletion and it's Ok.
    **_
    FLT_PREOP_CALLBACK_STATUS badgirlFilterAntiDelete(Inout PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);

    PAGED_CODE();
    
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    
    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    
    // https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-create
    // When the system tries to open a handle to a file object,
    // detect requests that have DELETE_ON_CLOSE in DesiredAccess
    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DELETE_ON_CLOSE)) {
            return ret;
        }
    }
    
    // Process requests with FileDispositionInformation, FileDispositionInformationEx  or file renames
    if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {
        switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
        case FileRenameInformation:
        case FileRenameInformationEx:
        case FileDispositionInformation:
        case FileDispositionInformationEx:
        case FileRenameInformationBypassAccessCheck:
        case FileRenameInformationExBypassAccessCheck:
            break;
    
        default:
            return ret;
        }
    }
    
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    if (FltObjects->FileObject) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            FltParseFileNameInformation(FileNameInfo);
    
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
    
            ret = FLT_PREOP_COMPLETE;
    
            DbgPrint("[DENIED] %wZ\n", FileNameInfo->Name);
        }
        else {
            DbgPrint("[ERROR] Failed to get file name information!\n");
        }
    }
    else {
        DbgPrint("[ERROR] FltObjects->FileObject is NULL!\n");
    }
    
    return ret;
    

    }_**

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,450

    The code starts with this:

    // Ignore directories
    BOOLEAN IsDir;
    NTSTATUS status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDir);
    if (NT_SUCCESS(status)) {
        if (IsDir) {
            return ret;
        }
    }
    

    Are you hitting that code path?

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online