Disk Filter Driver

NTFSD
1

Hi all,

How to attach a disk filter driver to a specific drive or volume only??
How to capture Read/Write requests for files only i.e. how to check whether
a particular Read/Write call
is for normal file?


Kapil Bhadke
IIT Kanpur

2

First off, you may have to decide whether you are looking for a upper filter
or lower filter; what are you targeting? Volume or disk? Have you thought of
scenarios in which a volume will be read before your driver gets loaded? You
will have to do some additional work to find out if a sector belongs to a
particular file; use the VCN/ LCN related stuff. But not sure how far that
will help you. Send some IOCTLS, etc. And my personal opinion is that all
files are NORMAL, unless you are talking about file attributes. And even
then all files are really sane. J So, when you say “normal” files, think
what files are normal and which are not normal for you.

Last but probably the most important thing to do for starter is to read up
the documentation, samples AND believe it or not take this thread to ntdev.
And before posting, search the ntdev archive. :wink:

Regards,

Ayush Gupta

Software Consultant & Owner,

AI Consulting

http://in.linkedin.com/in/guptaayush

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kapil bhadke
Sent: Monday, February 14, 2011 12:43 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Disk Filter Driver

Hi all,

How to attach a disk filter driver to a specific drive or volume only??

How to capture Read/Write requests for files only i.e. how to check whether
a particular Read/Write call

is for normal file?


Kapil Bhadke

IIT Kanpur

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

You earlier had two different posts asking whether to go for file system
filter approach or disk filter approach for enabling data encryption.

I am assuming that post is related to it only.

I think people (including me) have already pointed out that if you want to
do file data you will have to implement a minifilter.
If you want to encrypt data blocks then doing it at disk filter level is
appreciated.
So you won’t get any read/write in file granularity at disk filter level.

How to attach a disk filter driver to a specific drive or volume only??

I suggest please do a little bit of homework.
You will need to specify yourself as upper filter to disk filter/volume
class of devices (Learn about Different Device Classes on Windows).
You can do it though INF files (see diskperf INF file and try to understand
it)

You will be getting new physical device notifications in your AddDevice
routine.
There you will have to attach to this physical device and become part of the
stack.

How to capture Read/Write requests for files only i.e. how to check whether
a particular Read/Write call
is for normal file?

So you won’t get any file related reads/writes. All you will get is random
block level read/writes.
You will have to look for IRP_MJ_READ/IRP_MJ_WRITE dispatch handlers.

Also, if you are moving ahead with approach of being writing a diskfilter, I
don’t think this and further post will belong to NTFSD.
Move them to NTDEV.

-Deepak

4

First off, you may have to decide whether you are looking for a upper filter

or lower filter;

I want to develop upper filter.

what are you targeting? Volume or disk?

I am targeting Volume.

So, when you say ?normal? files, think what files are normal and which are
not normal for you.

As a normal file means I want to handle data which is being written to or
read from files only. I don’t want to handle file attribute data.

AND believe it or not take this thread to ntdev. And before posting, search
the ntdev archive. :wink:

Sure…I will…


Kapil Bhadke
IIT Kanpur

5

So, when you say ?normal? files, think what files are normal and which are
not normal for you.

As a normal file means I want to handle data which is being written to or
read from files only. I don’t want to handle file attribute data.

If by file attribute data you mean file metadata then why are you taking
disk/volume filter approach, minifilter should be the way to go.

-Deepak

6

Hi Kapil,

I am assuming from you post that you are interested in just filtering read and write requests for files. Hence first off you wont need to go to lower level like disk etc. If you are just aiming to filter IRP_MJ_READ and IRP_MJ_WRITE etc you can very well get away with writing a mini filter. The sample provided with WDK should do most of the work for you.
As for the attaching to a specific volume part, you might wanna look up PFLT_INSTANCE_SETUP_CALLBACK which the filter manager calls at volume mounts. Just return STATUS_SUCCESS for the volumes you want your filter to be attached to and you are on ur way. You can get the file name from the FILE_OBJECT assuming you don’t already know this. :slight_smile:
Hope this helps a little.

-Imtiyaz
Senior Development Engineer
Citrix Systems

7

Mr Pathan, :slight_smile:

its in continuation of these threads,

http://www.osronline.com/showthread.cfm?link=199215
http://www.osronline.com/showthread.cfm?link=199232

Deepak already stated clearly in his post, but just for your records (in Mr Peter GV words obviously) we are *again* attaching wings to a P**. :slight_smile: