I’m working on a windows driver level sandbox especially file system api part.
One of my most important task is to privent files to write in the critical areas except my config file.
In addition my dirver is installed on top of volmgr.
The problem is determining the config file in this level.
This is an snapshot of Device Stack:
!DevObj !DrvObj !DevExt ObjectName
867e5408 \Driver\QSdBx 867e54c0
867ec020 \Driver\volsnap 867ec0d8
867e5020 \Driver\rdyboost 867e50d8
867e4ac0 \Driver\fvevol 867e4b78
867eb030 \Driver\volmgr 867eb0e8 HarddiskVolume1
!DevNode 867e99d8
DeviceInst is “…”
ServiceName is “volsnap”
My main write redirector function is like:
NTSTATUS DskWriteHandler( diskDevExt *devExt, PIRP irp );
is it possible to find my file name or buffer here?
>is it possible to find my file name or buffer here?
think that no. you need filter file system stack, which mount HarddiskVolumeX device on volmgr. filter volume stack no sense for my look for your task
As I understud i only have physical device addresses and no name or path, but what about content of file? isn’t it anywhere here? if not where should if find it.
most important thing here is, I can’t install any other device execp here!
Well of course you can get the content of the file, you are being given the
new content plus you know the offset and length to write, you can read the
old content before you write the new content.
I did a prototype for a client for something similar, where I used a simple
file system filter to get information about the file, with its own interface
to the disk filter driver to communicate the information.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, May 24, 2014 9:52 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] detecting target file in driver layer…
As I understud i only have physical device addresses and no name or path,
but what about content of file? isn’t it anywhere here? if not where should
if find it.
most important thing here is, I can’t install any other device execp here!
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks Don Burn!
Would you please notify where you could get file buffes?
As I know they should be present at ‘irp.MdlAddress->vastart’ but I can’t find them. are the buffers in special format?
If the MDL is already present, use MmGetSystemAddressForMdlSafe to get the System VA. Then use that System VA to access the buffer. If the MDL is not present and you get raw user buffer, use MmProbeAndLockPages to lock the pages and then use MmGetSystemAddressForMdlSafe. to get System VA. Ofcourse, if it’s a system buffer, you can use it directly.
Ayush Gupta
Software Consultant & Owner,
AI Consulting
>of course you can get the content of the file
if you filter ‘under’ file system content can be compressed or not (depended from file attributes). also content can be at all encrypted, if file encrypted
harald brown, thanks for information!
as Don Burn and Ayush Gupta said, the buffer should be preset at ‘irp.MdlAddress’ so I dumped the buffer with the driver and with debugger both shows this:
853cf000 52 43 52 44 28 00 09 00 00 a0 85 00 00 00 00 00 RCRD(…
…
or another buffer like upper ( 5 ascii char following by some binary )
I wrote many '1’s to my config file and tried to find them in my driver ( with driver & debugger ) but I still failed.
Additionally the disk I’m testing is an unencrypted, uncompressed, VmWare disk.