Hi!
I want to block notepad.exe from accessing TXT file on disk(F:). So I attach my Filter DO to \Device\HarddiskVolume4, this is the real name of F volume. In order to block notepad.exe from accessing TXT file , I intercept all IRP_MJ_CREATE packets from notepad.exe. But I failed to block it from doing so.
However, if I attach my Filter DO to \Device\HarddiskVolume4, I can successfully block notepad.exe from accessing my TXT file.Why?
What are the differences between attaching to \Device\HarddiskVolume4 and attaching to \Device\HarddiskVolume4.
Help is needed! Thanks!!!
Hi,
\Device\HarddiskVolume4 this is a disk object, request for the file system
objects do not reach this level.
\Device\HarddiskVolume4\ this is a root of the file system and the related
device object(returned by IoGetRelatedDeviceObject) is the file system
driver’s device object which receives requests for file system’s objects
manipulation. FSDs extend the disk’s namespace and process requests for this
extended namespace.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hi!
>
> I want to block notepad.exe from accessing TXT file on disk(F:). So I
> attach my Filter DO to \Device\HarddiskVolume4, this is the real name of F
> volume. In order to block notepad.exe from accessing TXT file , I
> intercept all IRP_MJ_CREATE packets from notepad.exe. But I failed to
> block it from doing so.
>
> However, if I attach my Filter DO to \Device\HarddiskVolume4, I can
> successfully block notepad.exe from accessing my TXT file.Why?
>
> What are the differences between attaching to \Device\HarddiskVolume4 and
> attaching to \Device\HarddiskVolume4.
>
> Help is needed! Thanks!!!
>
Hi, Slava Imameyev! Thanks for your reply!
Since \Device\HarddiskVolume4\ is the root of file system, it means than I can not attach my filter DO to \Device\HarddiskVolume4\ before the vloume on which the file system resides on. If I want to attach to \Device\HarddiskVolume4\ , that is to say, attach to the root the the file system, once the mounting is completed, what should I do?
If you want to attach your DO to the FSD stack after mount, then see
IRP_MN_MOUNT_VOLUME processing in the IFSDK’s(or WDK’s) sfilter example(
IFSDK_DIR\src\filesys\filter\sfilter ).
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hi, Slava Imameyev! Thanks for your reply!
> Since \Device\HarddiskVolume4\ is the root of file system, it means than I
> can not attach my filter DO to \Device\HarddiskVolume4\ before the vloume
> on which the file system resides on. If I want to attach to
> \Device\HarddiskVolume4\ , that is to say, attach to the root the the file
> system, once the mounting is completed, what should I do?
>
In fact, I did reference Sfilter in IFS source code. But I can not attah my filter DO to the root of the newly mounted file system. Maybe , I should read the source code of Sfilter again!!!
Thanks for your reply!
You confuse file objects and device objects.
\Device\HarddiskVolumeX\ is not a device object, this is a File Object for a
root directory, its FileObject->DeviceObject points to
\Device\HarddiskVolumeX, but IoGetRelatedDeviceObject( FileObject ) returns
FileObject->DeviceObject->Vpb->DeviceObject, i.e. the mounted FSD’s device
object.
You attach your DO to the FileObject->DeviceObject->Vpb->DeviceObject not
to the file object( which is “root of the filesystem” ).
"\Device\HarddiskVolumeX" = “\Device\HarddiskVolumeX” + "" , the
“\Device\HarddiskVolumeX” is processed by the Object Manager and the
remainder "" is processed by the FSD when it receives IRP_MJ_CREATE.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> In fact, I did reference Sfilter in IFS source code. But I can not attah
> my filter DO to the root of the newly mounted file system. Maybe , I
> should read the source code of Sfilter again!!!
>
> Thanks for your reply!
>
Slava, the OP may be confused by a typo in your previous post:
\Device\HarddiskVolumeX are “volumes”, not “disks”.
-------------- Original message --------------
From: “Slava Imameyev”
> You confuse file objects and device objects.
> \Device\HarddiskVolumeX\ is not a device object, this is a File Object for a
> root directory, its FileObject->DeviceObject points to
> \Device\HarddiskVolumeX, but IoGetRelatedDeviceObject( FileObject ) returns
> FileObject->DeviceObject->Vpb->DeviceObject, i.e. the mounted FSD’s device
> object.
> You attach your DO to the FileObject->DeviceObject->Vpb->DeviceObject not
> to the file object( which is “root of the filesystem” ).
> "\Device\HarddiskVolumeX" = “\Device\HarddiskVolumeX” + "" , the
> “\Device\HarddiskVolumeX” is processed by the Object Manager and the
> remainder "" is processed by the FSD when it receives IRP_MJ_CREATE.
>
> –
> Slava Imameyev, xxxxx@hotmail.com
>
>
> wrote in message news:xxxxx@ntfsd…
> > In fact, I did reference Sfilter in IFS source code. But I can not attah
> > my filter DO to the root of the newly mounted file system. Maybe , I
> > should read the source code of Sfilter again!!!
> >
> > Thanks for your reply!
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Thanks, Slava and Alex!
In fact, I did be confused for a lack of related materials on File System Filter Driver!
If I want to attach my filter DO to the root of the file system on a newly mounted volume, what should I do? I try to do this in the completition as Sfilter does, but I failed. When I call the ZwCreateFile to get the file object of \Device\HarddiskVolumeX, the whole program just halts. Does that mean before the mount request has been completely processed( that is, before the volume is completely mounted), I can not get the file object for the root of the file system, ie \Device\HarddiskVolumeX!
Thanks again! I am really in a bad need of help!
Hi, Slava!
Please ignore the reply above! Now, I completely understand what you said in your last reply. Yeah, I am confused, but now I get to know the differences. In fact, I can successfully attach my filter DO to \Device\HarddiskVolumeX just as Sfilter does. And I can intercept all the IRPs sent to the newly mounted volume.
Thoungh I can intercept all the IRPs including IRP_MJ_CREATE packet, but I can not block notepad.exe from accessing the TXT file by failing the IRP_MJ_CREATE packet. Why? By the way, below is the code segmen which I write to fail the IRP_MJ_CREATE packet:
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
Can you tell my how to block the process from accessing file?
Tnaks a lot!!!
Hi,
Your code is right.
It seems you do not filter all create requests, some create requests manage
to escape from your check.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hi, Slava!
> Please ignore the reply above! Now, I completely understand what you said
> in your last reply. Yeah, I am confused, but now I get to know the
> differences. In fact, I can successfully attach my filter DO to
> \Device\HarddiskVolumeX just as Sfilter does. And I can intercept all the
> IRPs sent to the newly mounted volume.
>
> Thoungh I can intercept all the IRPs including IRP_MJ_CREATE packet, but I
> can not block notepad.exe from accessing the TXT file by failing the
> IRP_MJ_CREATE packet. Why? By the way, below is the code segmen which I
> write to fail the IRP_MJ_CREATE packet:
> Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
> Irp->IoStatus.Information = 0;
> IoCompleteRequest(Irp,IO_NO_INCREMENT);
> return STATUS_ACCESS_DENIED;
>
> Can you tell my how to block the process from accessing file?
> Tnaks a lot!!!
>
> What are the differences between attaching to \Device\HarddiskVolume4 and
attaching to \Device\HarddiskVolume4.
The name with a trailing slash is reparsed to the FSD’s volume device object,
and opens its root directory. The slash-less name is the name of the disk
device itself, below FSD.
So, use the name with backslash.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi, Maxim!
I try to get the DO with the name with backslash, like \Device\Harddisk1\DP(1)0-0+8, in the IRP_MJ_FILE_SYSTEM_CONTROL\IRP_MN_MOUNT_VOLUME dispatch routine, then a dead-lock occured! Why? Can I attach my filter DO to a newly mounted volume with the name with a backslash? And HOW?
Thanks! I am really in bad need of help for the project I am working on is so urgent!!!