abnormal problem.

I wanna control access to a file(test.txt) of directory of my
shared-folder(c:\test).
So, I hooked ZwCreateFile(NewZwCreateFile).
In the NewZwCreateFile Routine, I checked whether someone try to access
c:\test\test.txt.
If someone access, I returned STATUS_ACCESS_DENIED code.
Otherwise, I called original ZwCreateFile Routine.

In the local system, It works very well.
If i try to open c:\test\test.txt from a remote machine, ZwCreateFile
Routine is called. And, STATUS_ACCESS_DENIED code is returened, of course.
By the way, c:\test\test.txt is opened.

It’s really abnormal!
Other functions shoud be hooked?
How can i solve this problem?

Any answer’ll be great appreciated!

Best regards.
csjung.

Several people have told you that what you are doing won’t work.

If you want to control access to a file, use an ACL.

If you don’t trust Administrator on the system, use encryption.

If you really have a reason to block this in the kernel, write a file system
filter.

Thank for your advice.

I’m currently making a filter driver.
I hooked serveral functions(ZwCreateFile, ZwOpenFile etc).
Using this method, it is really impossible to control opening of a file in
the shared-folder?

You mean that i should write a IRP-Model filter driver(such as FileMon of
Sysinternals.com)?

Thanks in advance.
csjung.

Yes, you should, if you want to intercept all possible ways that a file
or directory can be opened. (For example, IoCreateFile from kernel-mode).

Chang Sung. Jung wrote:

Thank for your advice.

I’m currently making a filter driver.
I hooked serveral functions(ZwCreateFile, ZwOpenFile etc).
Using this method, it is really impossible to control opening of a file in
the shared-folder?

You mean that i should write a IRP-Model filter driver(such as FileMon of
Sysinternals.com)?

Thanks in advance.
csjung.


You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

  • Nick Ryan (MVP for DDK)

“Hooking” a driver is not wise in the general case, if by hooking you
mean replacing entry points in a table of entry points. The “general
case” does not include experimenting or trying to understand function,
because there’s no harm done (other than, perhaps, having to rebuild
your system). But the “general case” definitely does include using the
technique in distributed – eg, product – code. A filter driver,
whether in a driver stack with IRPs or perhaps in a miniport, is the way
to go.

This point should be obvious, but I doubt that it is in fact.


If replying by e-mail, please remove “nospam.” from the address.

James Antognini
Windows DDK MVP