Change filesize of a particular file

hi all

now I am coding a minifilter regarding to reading files with skipping their header.
so changing(emulating/decepting) their file size is needed now.
I know I should do some operations at post-callback of IRP_MJ_QUERY_INFORMATION and IRP_MJ_DIRECTORY_CONTROL.
But what I want to do is to change size of only a particular file.
it's easy to do it at Query Information but not at Directory Control.
so I'd like to have any good way to change size of particular files at Directory Control callback.

Satoru

Why isn’t it easy to do in Directory Control? Look for the directory entry that you want to change and change it (that’s how we do it.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Thank you, Tony

In my situation,there are both files which have a header and files which have no header in attached volume.
When DIR_CTRL call back come, it is hard for me to determaine where the file has a header or not.
In case of Query Information call back, i can determine the file has a header or not, because i can pre-scan(fltReadFile) header area of the file and memorize in stream handle context at the previous post-create-callback.
so I want to know a way to identify header existence in a file when DIR_CTRL callback cames.

Satoru

Right, as Tony indicated, you will need to look for your particular files.
If this means opening each one and performing a read on the header, then
that it what you have to do.

Generally speaking, in this situation, you can impose a heuristic on the
files which you look at. Say, for example, that all of the files which you
have manipulated are aligned on a 16 byte boundary. Well, look at the size
coming from the underlying filesystem and do your presort by only reading
files that have sizes aligned on a 16 byte boundary. It will not eliminate
all files which are not yours but it will be better than opening ALL of
them.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@ybb.ne.jp
Sent: Sunday, October 29, 2006 3:08 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Change filesize of a particular file

Thank you, Tony

In my situation,there are both files which have a header and files which
have no header in attached volume.
When DIR_CTRL call back come, it is hard for me to determaine where the file
has a header or not.
In case of Query Information call back, i can determine the file has a
header or not, because i can pre-scan(fltReadFile) header area of the file
and memorize in stream handle context at the previous post-create-callback.
so I want to know a way to identify header existence in a file when DIR_CTRL
callback cames.

Satoru

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

From a design perspective, why would it not be recommended to give
special files an added
file extension? Then in dir query he could filter that out so it would
look normal to the user and
at the same time add the file and path too a list to watch for in other
handlers.

Peter Scott wrote:

Right, as Tony indicated, you will need to look for your particular files.
If this means opening each one and performing a read on the header, then
that it what you have to do.

Generally speaking, in this situation, you can impose a heuristic on the
files which you look at. Say, for example, that all of the files which you
have manipulated are aligned on a 16 byte boundary. Well, look at the size
coming from the underlying filesystem and do your presort by only reading
files that have sizes aligned on a 16 byte boundary. It will not eliminate
all files which are not yours but it will be better than opening ALL of
them.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@ybb.ne.jp
Sent: Sunday, October 29, 2006 3:08 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Change filesize of a particular file

Thank you, Tony

In my situation,there are both files which have a header and files which
have no header in attached volume.
When DIR_CTRL call back come, it is hard for me to determaine where the file
has a header or not.
In case of Query Information call back, i can determine the file has a
header or not, because i can pre-scan(fltReadFile) header area of the file
and memorize in stream handle context at the previous post-create-callback.
so I want to know a way to identify header existence in a file when DIR_CTRL
callback cames.

Satoru

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

There are some potential ramifications of adding a prefix or suffix:

• the maximum component size is now smaller (by the size of the
  prefix/suffix) which is fine but may cause some tests to fail (for
  example)
• the prefix/suffix will be visible when your filter isn’t installed.
• files that would not get a short file name now have a short file name

Whether or not these matter is going to be a subject to the requirements
on the design.

The approach we’ve taken in our own DMK is to construct a cache; in the
current version that cache is in memory, so we really do open the file
and figure out the correct size (using the trick Peter Scott suggests.)
We’re looking at ways to improve that in the future as well. As with
caches in general, the addition of caching is a big performance boost
but a corresponding increase in complexity due to the need for proper
cache invalidation.

Our experience is that “xcopy” with it’s verification option enabled is
extremely sensitive to errors in directory sizing information and will
fail if the size info is not right.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: Sunday, October 29, 2006 6:23 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Change filesize of a particular file

From a design perspective, why would it not be recommended to give
special files an added
file extension? Then in dir query he could filter that out so it would
look normal to the user and
at the same time add the file and path too a list to watch for in other
handlers.

Peter Scott wrote:

Right, as Tony indicated, you will need to look for your particular
files.
If this means opening each one and performing a read on the header,
then
that it what you have to do.

Generally speaking, in this situation, you can impose a heuristic on
the
files which you look at. Say, for example, that all of the files which
you
have manipulated are aligned on a 16 byte boundary. Well, look at the
size
coming from the underlying filesystem and do your presort by only
reading
files that have sizes aligned on a 16 byte boundary. It will not
eliminate
all files which are not yours but it will be better than opening ALL of
them.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@ybb.ne.jp
Sent: Sunday, October 29, 2006 3:08 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Change filesize of a particular file

Thank you, Tony

In my situation,there are both files which have a header and files
which
have no header in attached volume.
When DIR_CTRL call back come, it is hard for me to determaine where the
file
has a header or not.
In case of Query Information call back, i can determine the file has a
header or not, because i can pre-scan(fltReadFile) header area of the
file
and memorize in stream handle context at the previous
post-create-callback.
so I want to know a way to identify header existence in a file when
DIR_CTRL
callback cames.

Satoru

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Generally speaking, in this situation, you can impose a heuristic on the

files which you look at. Say, for example, that all of the files which you
have manipulated are aligned on a 16 byte boundary.

This is good idea, let me make it even better.
Make that alignment of 17. This looks weird, but as soon
as someone starts enumeration of files in System32 directory,
you will know why.

In my today’s Windows state, there’s 1942 files, and more than 90% of them
is aligned to 16. Also every program directory
(like %ProgramFiles%\Microsoft office) will behave the same.

L.

Relying on file extension is insecure. For example,
let’s take a common document with (let’s say .XYZ extension).

If someone deletes the file (read: moves to Recycle.bin),
the file get totally different name and your filter never catches it.
This might, or might not be a problem, but for sure is a caveat.

Another example. I expect the OP wants to do an encryption filter.
Well ok. As soon as you make the filter, depending on XYZ extnsion,
you will encrypt a directory full of DOC files. They get renamed to XYZ.
The consequences are 1) double clicking on them will not open the file in
Word
2) The files will have different icon.

And I am pretty sure there will be more dumb cases like this one,
so I would not recommend this way. Of course, it depends on what
filter the OP wants to do.

L.

The reason why I suggested 16 bytes was only due to possible cipher block
alignment. If you are restricted to some cipher block alignment due to your
encryption algorithm, then having an odd size like 17 bytes will force you
to perform fix-up when IO overlaps the end of the file. I guess it is more
of a design decision of where you want to take the hit.

One of the issues with adding a suffix is the hiding of the suffix and the
ramifications of this, assuming you choose to hide the suffix, primarily in
the IRP_MJ_CREATE, or PreCreate, handlers. Imagine that you have a .foo
ending on all files that are ‘yours’. In your filter you have an open
request on test.txt. You first need to allow this open to pass down to the
underlying FSD to see if it actually is an open for a file called test.txt.
If this fails with an OBJECT_NOT_FOUND error, you need to add your suffix
and retry the open request. If it succeeds, you still need to perform your
read, for header validation, for the off chance that there actually exists a
file called test.txt.foo but it is not yours. Not a huge overhead but
something to consider. Similar issues arise for directory queries when the
pattern match is something like test*.txt, you need to play with the pattern
being passed down the stack to return your files as well, then perform
post-processing on the returned entries.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Sunday, October 29, 2006 8:12 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Change filesize of a particular file

Generally speaking, in this situation, you can impose a heuristic on the
files which you look at. Say, for example, that all of the files which you
have manipulated are aligned on a 16 byte boundary.

This is good idea, let me make it even better.
Make that alignment of 17. This looks weird, but as soon
as someone starts enumeration of files in System32 directory,
you will know why.

In my today’s Windows state, there’s 1942 files, and more than 90% of them
is aligned to 16. Also every program directory
(like %ProgramFiles%\Microsoft office) will behave the same.

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com