Hey,
I’m trying to write a minifilter that fakes AllocationSize and EndOfFile in
a FILE_STANDARD_INFORMATION.
I set my function to run post-operation and I’m sure it’s working (through
DebugView)
So far, here’s my code:
FLT_PARAMETERS params = Data->Iopb->Parameters;
if (params.QueryFileInformation.FileInformationClass ==
FileStandardInformation){
FILE_STANDARD_INFORMATION *info =
(FILE_STANDARD_INFORMATION*)params.QueryFileInformation.InfoBuffer;
info->EndOfFile.QuadPart = 10;
info->AllocationSize.QuadPart = 8192;
return FLT_POSTOP_FINISHED_PROCESSING;
}else if(params.QueryFileInformation.FileInformationClass ==
FileAllInformation){
FILE_ALL_INFORMATION *info =
(FILE_ALL_INFORMATION*)params.QueryFileInformation.InfoBuffer;
info->StandardInformation.EndOfFile.QuadPart = 10;
info->StandardInformation.AllocationSize.QuadPart = 8192;
return FLT_POSTOP_FINISHED_PROCESSING;
}
Of course it does a file name check, I do not need any major system failures
here.
I can see the return values I need in Process Monitor when requested by
explorer.exe
However, in the properties dialog, I keep getting the real values :S
Notes:
- The “Result” on Process Monitor is always ‘BUFFER OVERFLOW’ whether the
driver is running or not.
- This isn’t related, but an unchanged AllocationSize is usually just a
multiple of 8 (8 or 16) according to EndOfFile. Isn’t this supposed to be
4096 bytes ? at least the properties dialog says so.
TIA
On Sun, Oct 9, 2011 at 9:26 PM, George Stephanos wrote:
> Hey,
> I’m trying to write a minifilter that fakes AllocationSize and EndOfFile in
> a FILE_STANDARD_INFORMATION.
> I set my function to run post-operation and I’m sure it’s working (through
> DebugView)
> So far, here’s my code:
>
> FLT_PARAMETERS params = Data->Iopb->Parameters;
> if (params.QueryFileInformation.FileInformationClass ==
> FileStandardInformation){
> FILE_STANDARD_INFORMATION info =
> (FILE_STANDARD_INFORMATION)params.QueryFileInformation.InfoBuffer;
> info->EndOfFile.QuadPart = 10;
> info->AllocationSize.QuadPart = 8192;
> return FLT_POSTOP_FINISHED_PROCESSING;
> }else if(params.QueryFileInformation.FileInformationClass ==
> FileAllInformation){
> FILE_ALL_INFORMATION info =
> (FILE_ALL_INFORMATION)params.QueryFileInformation.InfoBuffer;
> info->StandardInformation.EndOfFile.QuadPart = 10;
> info->StandardInformation.AllocationSize.QuadPart = 8192;
> return FLT_POSTOP_FINISHED_PROCESSING;
> }
>
> Of course it does a file name check, I do not need any major system
> failures here.
>
> I can see the return values I need in Process Monitor when requested by
> explorer.exe
> However, in the properties dialog, I keep getting the real values :S
>
> Notes:
>
> 1) The “Result” on Process Monitor is always ‘BUFFER OVERFLOW’ whether the
> driver is running or not.
> 2) This isn’t related, but an unchanged AllocationSize is usually just a
> multiple of 8 (8 or 16) according to EndOfFile. Isn’t this supposed to be
> 4096 bytes ? at least the properties dialog says so.
>
> TIA
>
I recently found out from Process Monitor that FAST_IO routines reveal the
correct size, but now I correctly handle them and nothing changed.
Also, using cmd, I’m able to get the fake size using:
for %I in (test.txt) do @echo %~zI
so it’s just explorer.exe that’s a little too smart.
Are you filtering directory information queries as well? I’d imagine that Explorer (and probably ‘dir’ in cmd.exe) would be pulling this information from the directory listing rather than opening each file individually and sending a query file information request.
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of George Stephanos [xxxxx@gmail.com]
Sent: Sunday, October 09, 2011 4:19 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Faking information returned by IRP_MJ_QUERY_INFORMATION
On Sun, Oct 9, 2011 at 9:26 PM, George Stephanos > wrote:
Hey,
I’m trying to write a minifilter that fakes AllocationSize and EndOfFile in a FILE_STANDARD_INFORMATION.
I set my function to run post-operation and I’m sure it’s working (through DebugView)
So far, here’s my code:
FLT_PARAMETERS params = Data->Iopb->Parameters;
if (params.QueryFileInformation.FileInformationClass == FileStandardInformation){
FILE_STANDARD_INFORMATION info = (FILE_STANDARD_INFORMATION)params.QueryFileInformation.InfoBuffer;
info->EndOfFile.QuadPart = 10;
info->AllocationSize.QuadPart = 8192;
return FLT_POSTOP_FINISHED_PROCESSING;
}else if(params.QueryFileInformation.FileInformationClass == FileAllInformation){
FILE_ALL_INFORMATION info = (FILE_ALL_INFORMATION)params.QueryFileInformation.InfoBuffer;
info->StandardInformation.EndOfFile.QuadPart = 10;
info->StandardInformation.AllocationSize.QuadPart = 8192;
return FLT_POSTOP_FINISHED_PROCESSING;
}
Of course it does a file name check, I do not need any major system failures here.
I can see the return values I need in Process Monitor when requested by explorer.exe
However, in the properties dialog, I keep getting the real values :S
Notes:
1) The “Result” on Process Monitor is always ‘BUFFER OVERFLOW’ whether the driver is running or not.
2) This isn’t related, but an unchanged AllocationSize is usually just a multiple of 8 (8 or 16) according to EndOfFile. Isn’t this supposed to be 4096 bytes ? at least the properties dialog says so.
TIA
I recently found out from Process Monitor that FAST_IO routines reveal the correct size, but now I correctly handle them and nothing changed.
Also, using cmd, I’m able to get the fake size using:
for %I in (test.txt) do @echo %~zI
so it’s just explorer.exe that’s a little too smart.
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thanks a lot for the tip!
After a lot of suffering trying to figure out how IRP_MJ_DIRECTORY_CONTROL
works exactly (being a newbie),
I’ve been able to figure out faking the actual file size (EndOfFile)… but
never AllocationSize. I think this relates to my second note on my first
post.
Any ideas ?