Hi, all,
I am new in writing the file system filter. Your reply is appreciated.
I am writing a file filter based on very old source code of filemon
(v1.3). I want to block an application, for example IE, to access
certain files. Can I just simply block the calls to the lower level
real functions? If I implement the filter in this way, what should I
return to the upper level caller?
Does anyone here has newer version source code of Filemon than I have,
I want to see what improvement has been made for Filemon, since I
found some bugs in the source code that I have.
waterfall
return STATUS_ACCESS_DENIED
Jamey
----- Original Message -----
From: “Yuan Zhang”
To: “Windows File Systems Devs Interest List”
Sent: Monday, July 18, 2005 8:34 AM
Subject: [ntfsd] blocking file access for some application, such as IE
Hi, all,
I am new in writing the file system filter. Your reply is appreciated.
I am writing a file filter based on very old source code of filemon
(v1.3). I want to block an application, for example IE, to access
certain files. Can I just simply block the calls to the lower level
real functions? If I implement the filter in this way, what should I
return to the upper level caller?
Does anyone here has newer version source code of Filemon than I have,
I want to see what improvement has been made for Filemon, since I
found some bugs in the source code that I have.
waterfall
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
That’s all? Do I have to do something with the IRP?
Thx,
Yuan
On 7/18/05, Jamey Kirby wrote:
> return STATUS_ACCESS_DENIED
>
> Jamey
>
>
>
> ----- Original Message -----
> From: “Yuan Zhang”
> To: “Windows File Systems Devs Interest List”
> Sent: Monday, July 18, 2005 8:34 AM
> Subject: [ntfsd] blocking file access for some application, such as IE
>
>
> Hi, all,
>
> I am new in writing the file system filter. Your reply is appreciated.
>
> I am writing a file filter based on very old source code of filemon
> (v1.3). I want to block an application, for example IE, to access
> certain files. Can I just simply block the calls to the lower level
> real functions? If I implement the filter in this way, what should I
> return to the upper level caller?
>
> Does anyone here has newer version source code of Filemon than I have,
> I want to see what improvement has been made for Filemon, since I
> found some bugs in the source code that I have.
>
> waterfall
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You should also fill in the ioStatusBlock.Status code. The OS will handle
the rest.
Jamey
----- Original Message -----
From: “Yuan Zhang”
To: “Windows File Systems Devs Interest List”
Sent: Monday, July 18, 2005 9:00 AM
Subject: Re: [ntfsd] blocking file access for some application, such as IE
That’s all? Do I have to do something with the IRP?
Thx,
Yuan
On 7/18/05, Jamey Kirby wrote:
> return STATUS_ACCESS_DENIED
>
> Jamey
>
>
>
> ----- Original Message -----
> From: “Yuan Zhang”
> To: “Windows File Systems Devs Interest List”
> Sent: Monday, July 18, 2005 8:34 AM
> Subject: [ntfsd] blocking file access for some application, such as IE
>
>
> Hi, all,
>
> I am new in writing the file system filter. Your reply is appreciated.
>
> I am writing a file filter based on very old source code of filemon
> (v1.3). I want to block an application, for example IE, to access
> certain files. Can I just simply block the calls to the lower level
> real functions? If I implement the filter in this way, what should I
> return to the upper level caller?
>
> Does anyone here has newer version source code of Filemon than I have,
> I want to see what improvement has been made for Filemon, since I
> found some bugs in the source code that I have.
>
> waterfall
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, first you might ask SysInternals since to use their code requires a
license. Second, you do realize how poor of security this will be, since
how are you going to know that an executable is IE? Renaming the executable
will take care of hiding this.
If you do continue, then returning STATUS_ACCESS_DENIED from the Create
request is the logical way to do this. But before you do, look at the
archives for this list and NTDEV there has been a lot of discussion on this,
and the bottom line is the technique is basically useless.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Yuan Zhang” wrote in message
news:xxxxx@ntfsd…
Hi, all,
I am new in writing the file system filter. Your reply is appreciated.
I am writing a file filter based on very old source code of filemon
(v1.3). I want to block an application, for example IE, to access
certain files. Can I just simply block the calls to the lower level
real functions? If I implement the filter in this way, what should I
return to the upper level caller?
Does anyone here has newer version source code of Filemon than I have,
I want to see what improvement has been made for Filemon, since I
found some bugs in the source code that I have.
waterfall
tried, works, THX
On 7/18/05, Jamey Kirby wrote:
> You should also fill in the ioStatusBlock.Status code. The OS will handle
> the rest.
>
> Jamey
>
> ----- Original Message -----
> From: “Yuan Zhang”
> To: “Windows File Systems Devs Interest List”
> Sent: Monday, July 18, 2005 9:00 AM
> Subject: Re: [ntfsd] blocking file access for some application, such as IE
>
>
> That’s all? Do I have to do something with the IRP?
>
> Thx,
>
> Yuan
>
> On 7/18/05, Jamey Kirby wrote:
> > return STATUS_ACCESS_DENIED
> >
> > Jamey
> >
> >
> >
> > ----- Original Message -----
> > From: “Yuan Zhang”
> > To: “Windows File Systems Devs Interest List”
> > Sent: Monday, July 18, 2005 8:34 AM
> > Subject: [ntfsd] blocking file access for some application, such as IE
> >
> >
> > Hi, all,
> >
> > I am new in writing the file system filter. Your reply is appreciated.
> >
> > I am writing a file filter based on very old source code of filemon
> > (v1.3). I want to block an application, for example IE, to access
> > certain files. Can I just simply block the calls to the lower level
> > real functions? If I implement the filter in this way, what should I
> > return to the upper level caller?
> >
> > Does anyone here has newer version source code of Filemon than I have,
> > I want to see what improvement has been made for Filemon, since I
> > found some bugs in the source code that I have.
> >
> > waterfall
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
On 7/18/05, Don Burn wrote:
> Well, first you might ask SysInternals since to use their code requires a
> license. Second, you do realize how poor of security this will be, since
> how are you going to know that an executable is IE? Renaming the executable
> will take care of hiding this.
>
> If you do continue, then returning STATUS_ACCESS_DENIED from the Create
> request is the logical way to do this. But before you do, look at the
> archives for this list and NTDEV there has been a lot of discussion on this,
> and the bottom line is the technique is basically useless.
What do you mean “useless”?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Yuan Zhang” wrote in message
> news:xxxxx@ntfsd…
> Hi, all,
>
> I am new in writing the file system filter. Your reply is appreciated.
>
> I am writing a file filter based on very old source code of filemon
> (v1.3). I want to block an application, for example IE, to access
> certain files. Can I just simply block the calls to the lower level
> real functions? If I implement the filter in this way, what should I
> return to the upper level caller?
>
> Does anyone here has newer version source code of Filemon than I have,
> I want to see what improvement has been made for Filemon, since I
> found some bugs in the source code that I have.
>
> waterfall
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You state you want to block, IE from accessing certain files. Fine, but if
I want to access them all I have to do is rename IE to a different name. If
you think fine I will hash the file, or some such thing, it is easy enough
to change the resorces of an executable, breaking the hash.
As I said check the archives, but this is not security mechanism that is of
much value to anyone.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Yuan Zhang” wrote in message
news:xxxxx@ntfsd…
On 7/18/05, Don Burn wrote:
> Well, first you might ask SysInternals since to use their code requires a
> license. Second, you do realize how poor of security this will be, since
> how are you going to know that an executable is IE? Renaming the
> executable
> will take care of hiding this.
>
> If you do continue, then returning STATUS_ACCESS_DENIED from the Create
> request is the logical way to do this. But before you do, look at the
> archives for this list and NTDEV there has been a lot of discussion on
> this,
> and the bottom line is the technique is basically useless.
What do you mean “useless”?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Yuan Zhang” wrote in message
> news:xxxxx@ntfsd…
> Hi, all,
>
> I am new in writing the file system filter. Your reply is appreciated.
>
> I am writing a file filter based on very old source code of filemon
> (v1.3). I want to block an application, for example IE, to access
> certain files. Can I just simply block the calls to the lower level
> real functions? If I implement the filter in this way, what should I
> return to the upper level caller?
>
> Does anyone here has newer version source code of Filemon than I have,
> I want to see what improvement has been made for Filemon, since I
> found some bugs in the source code that I have.
>
> waterfall
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> Well, first you might ask SysInternals since to use their code requires a
license. Second, you do realize how poor of security this will be, since
how are you going to know that an executable is IE? Renaming the executable
will take care of hiding this.
Yes, and IE’s core can be hosted inside any other EXE, since it is an OCX.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
You are right, if the user changes the name of IE, I cannot block the
access to file from the renamed IE. But that is not my concern.
What I want to do is to try to stop some malicious programs that
attack a computer through IE.
On 7/19/05, Don Burn wrote:
> You state you want to block, IE from accessing certain files. Fine, but if
> I want to access them all I have to do is rename IE to a different name. If
> you think fine I will hash the file, or some such thing, it is easy enough
> to change the resorces of an executable, breaking the hash.
>
> As I said check the archives, but this is not security mechanism that is of
> much value to anyone.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Yuan Zhang” wrote in message
> news:xxxxx@ntfsd…
> On 7/18/05, Don Burn wrote:
> > Well, first you might ask SysInternals since to use their code requires a
> > license. Second, you do realize how poor of security this will be, since
> > how are you going to know that an executable is IE? Renaming the
> > executable
> > will take care of hiding this.
> >
> > If you do continue, then returning STATUS_ACCESS_DENIED from the Create
> > request is the logical way to do this. But before you do, look at the
> > archives for this list and NTDEV there has been a lot of discussion on
> > this,
> > and the bottom line is the technique is basically useless.
>
> What do you mean “useless”?
>
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> >
> > “Yuan Zhang” wrote in message
> > news:xxxxx@ntfsd…
> > Hi, all,
> >
> > I am new in writing the file system filter. Your reply is appreciated.
> >
> > I am writing a file filter based on very old source code of filemon
> > (v1.3). I want to block an application, for example IE, to access
> > certain files. Can I just simply block the calls to the lower level
> > real functions? If I implement the filter in this way, what should I
> > return to the upper level caller?
> >
> > Does anyone here has newer version source code of Filemon than I have,
> > I want to see what improvement has been made for Filemon, since I
> > found some bugs in the source code that I have.
> >
> > waterfall
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
IE can be called “Maxthon” and “MyIE”, and there are also other IE
repackages.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Yuan Zhang”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, July 20, 2005 6:00 PM
Subject: Re: [ntfsd] blocking file access for some application, such as IE
You are right, if the user changes the name of IE, I cannot block the
access to file from the renamed IE. But that is not my concern.
What I want to do is to try to stop some malicious programs that
attack a computer through IE.
On 7/19/05, Don Burn wrote:
> You state you want to block, IE from accessing certain files. Fine, but if
> I want to access them all I have to do is rename IE to a different name. If
> you think fine I will hash the file, or some such thing, it is easy enough
> to change the resorces of an executable, breaking the hash.
>
> As I said check the archives, but this is not security mechanism that is of
> much value to anyone.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Yuan Zhang” wrote in message
> news:xxxxx@ntfsd…
> On 7/18/05, Don Burn wrote:
> > Well, first you might ask SysInternals since to use their code requires a
> > license. Second, you do realize how poor of security this will be, since
> > how are you going to know that an executable is IE? Renaming the
> > executable
> > will take care of hiding this.
> >
> > If you do continue, then returning STATUS_ACCESS_DENIED from the Create
> > request is the logical way to do this. But before you do, look at the
> > archives for this list and NTDEV there has been a lot of discussion on
> > this,
> > and the bottom line is the technique is basically useless.
>
> What do you mean “useless”?
>
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> >
> > “Yuan Zhang” wrote in message
> > news:xxxxx@ntfsd…
> > Hi, all,
> >
> > I am new in writing the file system filter. Your reply is appreciated.
> >
> > I am writing a file filter based on very old source code of filemon
> > (v1.3). I want to block an application, for example IE, to access
> > certain files. Can I just simply block the calls to the lower level
> > real functions? If I implement the filter in this way, what should I
> > return to the upper level caller?
> >
> > Does anyone here has newer version source code of Filemon than I have,
> > I want to see what improvement has been made for Filemon, since I
> > found some bugs in the source code that I have.
> >
> > waterfall
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> What I want to do is to try to stop some malicious programs that
attack a computer through IE.
Better find another method, like running IE with
decreased user rights (as guest user, not as an admin)
or something like it. This will be better to achieve than
to write a filter.
Writing a filter, you will never be able to recognize
what files IE really needs and what needn’t and
it will result in neverending story about enabling this,
disabling that etc.
L.