Hi all,
I’d like to trace the operation of all the stream file object, and get their file name, then decide whether to encrypt or decrypt the data, while ,i can not see irp_mj_create when iocreatesreamfileobject is used, so i’d like to hook iocreatesreamfileobject, so can anybody tell me whether it is ok, and give me some source code?
zhaoyong
thanks
Very bad idea. Hooking must be avoided since Microsoft is doing what they
can to stop it. I am sure you want your driver to fail just after an update
is done, but most do not especially the users. No, we won’t provide hooking
samples.
wrote in message news:xxxxx@ntfsd…
> Hi all,
> I’d like to trace the operation of all the stream file object, and get
> their file name, then decide whether to encrypt or decrypt the data, while
> ,i can not see irp_mj_create when iocreatesreamfileobject is used, so i’d
> like to hook iocreatesreamfileobject, so can anybody tell me whether it is
> ok, and give me some source code?
>
> zhaoyong
> thanks
>
>
Thanks for your reply, then how to trace the stream file object?
Watch for them to arrive in your filter. When you see one that you have
not seen previously, catalog it. When it goes away you will normally
see an IRP_MJ_CLOSE.
I say “normally” because I know of at least one product that
deliberately bypasses the filters when sending the IRP_MJ_CLOSE. While
this is a terrible idea (and I maintain it is a bug in the offending
product) we try to protect ourselves against it as best we can.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zymoonstone@163.com
Sent: Monday, September 11, 2006 10:54 PM
To: ntfsd redirect
Subject: RE:[ntfsd] Can i hook iocreatestreamfileobject in SFilter?
Thanks for your reply, then how to trace the stream file object?
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes, i can watch the io, such as read/write, and insert the unseen stream file object to my hashtable, but in some cases, i have not seen a request of irp_mj_create to a file, while i meet a stream file object from write or read of the file, that mean, i cannot get the file name of the stream fileobject, so i can not decide whether to bypass the read/write packer or not, how to resolve such problem?
There are a lot of kernel mode softwares who read and write files with stream file object, so i have
to trace all these file object, and get their file name, unfortunately, i can not get the name from the
file object which is get from IRP_MJREAD/IRP_MJ_WRITE, so if there is no IRP_MJ_CREATE first, my
filter will not know how to do. please help me!
If this is a minifilter FltGetFileNameInformation will give a lot of help
most of the time. If it isn’t a minifilter you might try ObQueryNameString
(but be very, very careful about deadlocks and hangs - there are a great
deal of cases when this just cannot be used).
Bottom line, unless you catch the creates (and of course the renames) you
can never be certain. And as you’ve noticed there are many cases when you
just don’t see the Create.
wrote in message news:xxxxx@ntfsd…
> There are a lot of kernel mode softwares who read and write files with
> stream file object, so i have
> to trace all these file object, and get their file name, unfortunately, i
> can not get the name from the
> file object which is get from IRP_MJREAD/IRP_MJ_WRITE, so if there is no
> IRP_MJ_CREATE first, my
> filter will not know how to do. please help me!
>
Use filter contexts whenever they are available. Then you can use the
context information you constructed (when the original IRP_MJ_OPEN
arrived on ANY file object for this file.)
Of course, your fundamental error is that you are trying to rely upon
names in the first place - a common mistake to make. I’ve noted this
before, but one can open a file by ID (64-bit) object ID (128-bit) and
files can have multiple names (hard links). In addition, when you query
the name of a file object (even in post-create) you may get back a name
that is NO LONGER VALID because the file has been renamed. Oh, and lets
not forget that there are short and long file names.
So, make your decision once, store that information with the filter
context and then you should be fine.
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zymoonstone@163.com
Sent: Tuesday, September 12, 2006 5:14 AM
To: ntfsd redirect
Subject: RE:[ntfsd] Can i hook iocreatestreamfileobject in SFilter?
Yes, i can watch the io, such as read/write, and insert the unseen
stream file object to my hashtable, but in some cases, i have not seen a
request of irp_mj_create to a file, while i meet a stream file object
from write or read of the file, that mean, i cannot get the file name of
the stream fileobject, so i can not decide whether to bypass the
read/write packer or not, how to resolve such problem?
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thanks for your reply, but i have a question, that is “filter context”, what does it mean, it means i
record some information of this file in a hashtable when the first original irp_mj_create is abserved?
If that is true, there is another problem, that is, in some cases, my filter will get read/write request
with a stream file object while i have not got a original irp_mj_create, that is to say, i can not get
the stream file object’s information, so that is what i am confused.
See FsRtlInsertPerStreamContext - it is documented in the W2K3SP1 IFS
Kit (and the WDK.) It might be documented in earlier kits as well - the
call has been supported for XP and newer (and is available on current
versions of W2K.)
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zymoonstone@163.com
Sent: Tuesday, September 12, 2006 8:43 PM
To: ntfsd redirect
Subject: RE:[ntfsd] Can i hook iocreatestreamfileobject in SFilter?
Thanks for your reply, but i have a question, that is “filter context”,
what does it mean, it means i
record some information of this file in a hashtable when the first
original irp_mj_create is abserved?
If that is true, there is another problem, that is, in some cases, my
filter will get read/write request
with a stream file object while i have not got a original irp_mj_create,
that is to say, i can not get
the stream file object’s information, so that is what i am confused.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
There is no MJ_CREATE for stream file objects.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, September 12, 2006 6:50 AM
Subject: [ntfsd] Can i hook iocreatestreamfileobject in SFilter?
> Hi all,
> I’d like to trace the operation of all the stream file object, and get
their file name, then decide whether to encrypt or decrypt the data, while ,i
can not see irp_mj_create when iocreatesreamfileobject is used, so i’d like to
hook iocreatesreamfileobject, so can anybody tell me whether it is ok, and give
me some source code?
>
> zhaoyong
> thanks
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com