Copy Operation Detection

NTFSD
1

Hi All,

I m logging the IRP operitons happening on FSD by means of Filter Driver. I
am able to determine the exact time when a Rename operation happens through
explorer (By mean of FileRenameInformation within IRP_MJ_SET_INFORMATION),
but i am having problems finding the exact time when Copy operation is
performed i.e. to find the IRP which tells that it is the Copy Operation.

Although i can see a number of IRP_MJ_READ and WRITE requests on original
and new files respectively but that doesn’t ensure that it is a Copy
operation.
I have seen a few products in market which are able to detect it at driver
level.

Please help me out in this. I do not want to use API hooking for it.

Thanks and Regards,
Shreshth Luthra

2

Shreshth Luthra wrote:

Hi All,

I m logging the IRP operitons happening on FSD by means of Filter
Driver. I am able to determine the exact time when a Rename operation
happens through explorer (By mean of FileRenameInformation within
IRP_MJ_SET_INFORMATION), but i am having problems finding the exact
time when Copy operation is performed i.e. to find the IRP which tells
that it is the Copy Operation.

There is NO true copy operation at kernel level. That is why you do not
see it. That is why you can’t find it.

Although i can see a number of IRP_MJ_READ and WRITE requests on
original and new files respectively but that doesn’t ensure that it is
a Copy operation.

Well, no shit Sherlock :slight_smile: . that is what a copy operation is, it’s a
file being read in, and written out to a secondary location on disk.

I have seen a few products in market which are able to detect it at
driver level.

The products that can see this hook “nasty like” in user mode. This is
discussed in the archives, but of course you didn’t even attempt to
search. Typing in the search string “COPY” into the ntfsd archives
returns a link discussing this. It is the very FIRST result returned.

M

Thanks and Regards,
Shreshth Luthra
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
unsubscribe send a blank email to xxxxx@lists.osr.com

3

> Although i can see a number of IRP_MJ_READ and WRITE

requests on original and new files respectively but that doesn’t
ensure that it is a Copy operation.

This is the exact point. You can’t be sure that it’s a copy operation.
We discussed it several times here, look into the archives.

L.

4

Well Thanks for replying. I have already seen the archieves related to it.

Well, no shit Sherlock :slight_smile: . that is what a copy operation is, it’s a
file being read in, and written out to a secondary location on disk

The only thing i want to say is that a sequence of READ n WRITE operations
do not ensure that it is copy. There might be some user mode application
doing Read and Write explicitly. But no point discussing it.

Regards,
Shreshth

5

I didn’t mean to sound harsh (the smiley face meant I was joking). I
didn’t mean to be a curmudgeon… :frowning:

Yes, there is no way to determine if a sequence of reads and writes is a
copy or an application
doing something else. There is no special flag or IRP to indicate this,
the FSD has no need to know, it has to do the
same amount of work regardless.

m

Shreshth Luthra wrote:

Well Thanks for replying. I have already seen the archieves related to it.

>Well, no shit Sherlock :slight_smile: . that is what a copy operation is, it’s a
>file being read in, and written out to a secondary location on disk

The only thing i want to say is that a sequence of READ n WRITE
operations do not ensure that it is copy. There might be some user
mode application doing Read and Write explicitly. But no point
discussing it.

Regards,
Shreshth
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
unsubscribe send a blank email to xxxxx@lists.osr.com

6

>performed i.e. to find the IRP which tells that it is the Copy Operation.

No such IRP. Copy cannot be distinguished from any other write.

I have seen a few products in market which are able to detect it at driver
level.

They cheat.

More so - such products have no value. They cannot prevent the sensitive
information leak - the user can, say, download BZIP2 (not known to this
product) and compress the file using it, then leak the compressed file.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

7

Hi All,

Getting into the same stuff again :slight_smile:
I do agree with all of you that there cannot be a case that i will get all
the Copy operations captured in my filter driver. But my aim is something
different.
I do not bother about completeness at this stage but i do want to identify
the copy operations (by means of applying some heuristics on READ and WRITE
operations) in as much case as possilbe.
It is OK if i do not get COPY log in certain cases and even if sometimes i
am wrong in identifying the Copy operation.

In order to do so, i am not very clear about the approach i should take to
start with.
Taking the case of a WORD file, logically, it should monitor for READs where
the data length is not zero, get the address of the buffer and then look for
the WRITE on the some other file using the same process, with the same
address of buffer and same offset.
But i do not know if such kind of thing is actually feasible.

If someone has worked on such kind of Heuristic approach, he case guide me
better.

Again, i would like to clarify, i do not bother much about leaks (whether
intentional or unintentional). But something should be captured.

Thanks in advance.

Regards,
Shreshth Luthra

On 4/10/06, Maxim S. Shatskih wrote:
>
> >performed i.e. to find the IRP which tells that it is the Copy Operation.
>
> No such IRP. Copy cannot be distinguished from any other write.
>
> >I have seen a few products in market which are able to detect it at
> driver
> >level.
>
> They cheat.
>
> More so - such products have no value. They cannot prevent the sensitive
> information leak - the user can, say, download BZIP2 (not known to this
> product) and compress the file using it, then leak the compressed file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

8

Wow, two different copy questions within 2 minutes. This has too be a
record. What a magical coincidence…

Shreshth Luthra wrote:

Hi All,

Getting into the same stuff again :slight_smile:
I do agree with all of you that there cannot be a case that i will get
all the Copy operations captured in my filter driver. But my aim is
something different.
I do not bother about completeness at this stage but i do want to
identify the copy operations (by means of applying some heuristics on
READ and WRITE operations) in as much case as possilbe.
It is OK if i do not get COPY log in certain cases and even if
sometimes i am wrong in identifying the Copy operation.

In order to do so, i am not very clear about the approach i should
take to start with.
Taking the case of a WORD file, logically, it should monitor for READs
where the data length is not zero, get the address of the buffer and
then look for the WRITE on the some other file using the same process,
with the same address of buffer and same offset.
But i do not know if such kind of thing is actually feasible.

If someone has worked on such kind of Heuristic approach, he case
guide me better.

Again, i would like to clarify, i do not bother much about leaks
(whether intentional or unintentional). But something should be captured.

Thanks in advance.

Regards,
Shreshth Luthra

On 4/10/06, *Maxim S. Shatskih* > mailto:xxxxx> wrote:
>
> >performed i.e. to find the IRP which tells that it is the Copy
> Operation.
>
> No such IRP. Copy cannot be distinguished from any other write.
>
> >I have seen a few products in market which are able to detect it
> at driver
> >level.
>
> They cheat.
>
> More so - such products have no value. They cannot prevent the
> sensitive
> information leak - the user can, say, download BZIP2 (not known to
> this
> product) and compress the file using it, then leak the compressed
> file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com mailto:xxxxx
> http://www.storagecraft.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@gmail.com mailto:xxxxx
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
>
>
> — Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17 You are currently
> subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
> unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

9

MM wrote:

Wow, two different copy questions within 2 minutes. This has too be a
record. What a magical coincidence…

What a pity that mailing lists can’t have stickies…

Or maybe a script that replies something like ‘Hi this is clippy here…
you appear to be asking about copy operations…’

Tony

10

The fact is: There is *no* copy operation in the filter driver level.
Period. Let’s make a test - I will send you a FileSpy output and you
will try to get the idea what’s happening at user level (i.e.
if it is a “Save As”, “Save”, “copy file”, “Move File” or whatever).

I bet my two salaries that you will fail to identify the cases even with
human inteligence and excellent human’s pattern recognition ability,
how do you propose you will learn a software to do this ?

My personal advice is “give it up”.

Sorry to being too, ahem, negative, but approach you wanna do
will *never* work. Even if you will be able to make it run for e.g. MS Word,
it will completely fail for another app or Word version.

L.
----- Original Message -----
From: Shreshth Luthra
To: Windows File Systems Devs Interest List
Sent: Friday, April 28, 2006 12:03 PM
Subject: Re: [ntfsd] Copy Operation Detection

Hi All,

Getting into the same stuff again :slight_smile:
I do agree with all of you that there cannot be a case that i will get all the Copy operations captured in my filter driver. But my aim is something different.
I do not bother about completeness at this stage but i do want to identify the copy operations (by means of applying some heuristics on READ and WRITE operations) in as much case as possilbe.
It is OK if i do not get COPY log in certain cases and even if sometimes i am wrong in identifying the Copy operation.

In order to do so, i am not very clear about the approach i should take to start with.
Taking the case of a WORD file, logically, it should monitor for READs where the data length is not zero, get the address of the buffer and then look for the WRITE on the some other file using the same process, with the same address of buffer and same offset.
But i do not know if such kind of thing is actually feasible.

If someone has worked on such kind of Heuristic approach, he case guide me better.

Again, i would like to clarify, i do not bother much about leaks (whether intentional or unintentional). But something should be captured.

Thanks in advance.

Regards,
Shreshth Luthra

On 4/10/06, Maxim S. Shatskih wrote:
>performed i.e. to find the IRP which tells that it is the Copy Operation.

No such IRP. Copy cannot be distinguished from any other write.

>I have seen a few products in market which are able to detect it at driver
>level.

They cheat.

More so - such products have no value. They cannot prevent the sensitive
information leak - the user can, say, download BZIP2 (not known to this
product) and compress the file using it, then leak the compressed file.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

11

I’m sorry to say that Ladislav is certainly right, I had a similar problem
once and I had to give up when I faced the truth : copying is taking data
from a file and putting it in another file. Omg that’s what all file system
operations are about. :s In my case I got around it because I wanted to
monitor a specific application, I just made the application send an IOCTL to
the driver when it was copying a file (I wanted to avoid that addition in
the first place). If you want to prevent leaking, you could use the volume
jailing approach “thou shalt not leave that volume thou knave”.

*pEdouard = new Edouard();

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Sunday, April 30, 2006 11:42
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Copy Operation Detection

The fact is: There is *no* copy operation in the filter driver
level.
Period. Let’s make a test - I will send you a FileSpy output and you
will try to get the idea what’s happening at user level (i.e.
if it is a “Save As”, “Save”, “copy file”, “Move File” or whatever).

I bet my two salaries that you will fail to identify the cases even
with
human inteligence and excellent human’s pattern recognition ability,
how do you propose you will learn a software to do this ?

My personal advice is “give it up”.

Sorry to being too, ahem, negative, but approach you wanna do
will *never* work. Even if you will be able to make it run for e.g.
MS Word,
it will completely fail for another app or Word version.

L.

----- Original Message -----
From: Shreshth Luthra mailto:xxxxx
To: Windows File Systems Devs Interest List
mailto:xxxxx
Sent: Friday, April 28, 2006 12:03 PM
Subject: Re: [ntfsd] Copy Operation Detection

Hi All,

Getting into the same stuff again :slight_smile:
I do agree with all of you that there cannot be a case that
i will get all the Copy operations captured in my filter driver. But my aim
is something different.
I do not bother about completeness at this stage but i do
want to identify the copy operations (by means of applying some heuristics
on READ and WRITE operations) in as much case as possilbe.
It is OK if i do not get COPY log in certain cases and even
if sometimes i am wrong in identifying the Copy operation.

In order to do so, i am not very clear about the approach i
should take to start with.
Taking the case of a WORD file, logically, it should monitor
for READs where the data length is not zero, get the address of the buffer
and then look for the WRITE on the some other file using the same process,
with the same address of buffer and same offset.
But i do not know if such kind of thing is actually
feasible.

If someone has worked on such kind of Heuristic approach, he
case guide me better.

Again, i would like to clarify, i do not bother much about
leaks (whether intentional or unintentional). But something should be
captured.

Thanks in advance.

Regards,
Shreshth Luthra

On 4/10/06, Maxim S. Shatskih mailto:xxxxx > wrote:

>performed i.e. to find the IRP which tells that it
is the Copy Operation.

No such IRP. Copy cannot be distinguished from any
other write.

>I have seen a few products in market which are able
to detect it at driver
>level.

They cheat.

More so - such products have no value. They cannot
prevent the sensitive
information leak - the user can, say, download BZIP2
(not known to this
product) and compress the file using it, then leak
the compressed file.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@gmail.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com mailto:xxxxx

— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>