File access in VMWare

In VMWare virtual machine, if I copy a file to the host’s share folder
through
the host name or host IP address path, I can see the IRPs in my filesystem
filter
driver. But If I copy file to the VMWare’s host share folder(created by
VMWare
setting), no IRPs were seen in my filter driver, physically these two share
folder
are the same folder on host. I also tried the FileMon tool, same results.
In this case, is VMWare doing something special to bypass the file system
filter?
should that be a hole in the real world?
thanks.

AFei

Where is your filter driver, on the host or in the VM?
Can you describe your setup in more details?

VMware Workstation shared folders are implemented by
a network file system driver inside a guest, hgfs.sys.
The data passing between host and guest is done through
a special secure “backdoor”.

Dmitriy Budko, VMware

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of AFei
Sent: Wednesday, January 26, 2005 10:10 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] File access in VMWare

In VMWare virtual machine, if I copy a file to the host’s share folder
through
the host name or host IP address path, I can see the IRPs in
my filesystem
filter
driver. But If I copy file to the VMWare’s host share
folder(created by
VMWare
setting), no IRPs were seen in my filter driver, physically
these two share
folder
are the same folder on host. I also tried the FileMon tool,
same results.
In this case, is VMWare doing something special to bypass the
file system
filter?
should that be a hole in the real world?
thanks.

AFei

The filter driver runs in the VM, what I’m doing is testing the filter
driver
on different OS platfroms. This problem happens only on the VMWare
share folder “.host\**”.
So the file actually goes through the network driver hgfs.sys (“backdoor”),
then was saved to the host’s hard drive, the VM local file system didn’t see
this
operation at all, it makes sense. thanks a lot.

“Dmitriy Budko” wrote in message news:xxxxx@ntfsd…
Where is your filter driver, on the host or in the VM?
Can you describe your setup in more details?

VMware Workstation shared folders are implemented by
a network file system driver inside a guest, hgfs.sys.
The data passing between host and guest is done through
a special secure “backdoor”.

Dmitriy Budko, VMware

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of AFei
> Sent: Wednesday, January 26, 2005 10:10 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] File access in VMWare
>
>
>
> In VMWare virtual machine, if I copy a file to the host’s share folder
> through
> the host name or host IP address path, I can see the IRPs in
> my filesystem
> filter
> driver. But If I copy file to the VMWare’s host share
> folder(created by
> VMWare
> setting), no IRPs were seen in my filter driver, physically
> these two share
> folder
> are the same folder on host. I also tried the FileMon tool,
> same results.
> In this case, is VMWare doing something special to bypass the
> file system
> filter?
> should that be a hole in the real world?
> thanks.
>
> AFei

Your filter driver should be able to filter HGFS file system too,
it’s just another file system for for the filter.

Dmitriy Budko, VMware

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of AFei
Sent: Wednesday, January 26, 2005 6:41 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] File access in VMWare

The filter driver runs in the VM, what I’m doing is testing the filter
driver
on different OS platfroms. This problem happens only on the VMWare
share folder “.host\**”.
So the file actually goes through the network driver hgfs.sys
(“backdoor”),
then was saved to the host’s hard drive, the VM local file
system didn’t see
this
operation at all, it makes sense. thanks a lot.

Hi Dmitriy, thanks for the quick reply.
Even though the HGFS file system can not be automatically attached by
FileMon
or my filter driver in this case, if it needs “manually” recognize and
attach, then at least
it’s different to the other file system drivers.

“Dmitriy Budko” wrote in message news:xxxxx@ntfsd…
Your filter driver should be able to filter HGFS file system too,
it’s just another file system for for the filter.

Dmitriy Budko, VMware

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of AFei
> Sent: Wednesday, January 26, 2005 6:41 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] File access in VMWare
>
>
> The filter driver runs in the VM, what I’m doing is testing the filter
> driver
> on different OS platfroms. This problem happens only on the VMWare
> share folder “.host\**”.
> So the file actually goes through the network driver hgfs.sys
> (“backdoor”),
> then was saved to the host’s hard drive, the VM local file
> system didn’t see
> this
> operation at all, it makes sense. thanks a lot.

> Even though the HGFS file system can not be automatically attached by

FileMon or my filter driver in this case, if it needs “manually” recognize
and
attach, then at least it’s different to the other file system drivers.

Maybe the FileSpy tool might help you.
It is like Filemon, but uses the FileSpy.sys driver from the IFS Kit 2003.
Although it is still in beta version and I haven’t tested it on WMWare,
its ability to attach to device by device name might help you.

You may download the latest release from
http://www.zezula.net/download/filespy.zip.

Run it, select “Volumes” and “Attach manually”
and type the name of the device.

Note that I don’t recommend to attach another device
than file systems :-))

L.

Thanks Ladislav, I’ll try this. :slight_smile:

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > Even though the HGFS file system can not be automatically attached by
> > FileMon or my filter driver in this case, if it needs “manually”
recognize
> > and
> > attach, then at least it’s different to the other file system drivers.
>
> Maybe the FileSpy tool might help you.
> It is like Filemon, but uses the FileSpy.sys driver from the IFS Kit 2003.
> Although it is still in beta version and I haven’t tested it on WMWare,
> its ability to attach to device by device name might help you.
>
> You may download the latest release from
> http://www.zezula.net/download/filespy.zip.
>
> Run it, select “Volumes” and “Attach manually”
> and type the name of the device.
>
> Note that I don’t recommend to attach another device
> than file systems :-))
>
> L.
>
>

Hi Dmitriy,

I am interested in the same thing. When I try to get the device
object pointer to \Device\HGFS or ??\HGFS via
IoGetDeviceObjectPointer(), I get STATUS_ACCESS_DENIED. This is
different than other filesystems. I’m doing it in the context of a
system thread.

Does the HGFS driver allow only exclusive access? I’m only
interested in the file object / device object for it.

Hemonth

Dmitriy Budko wrote:

Your filter driver should be able to filter HGFS file system too,
it’s just another file system for for the filter.

Dmitriy Budko, VMware

>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com]On Behalf Of AFei
>Sent: Wednesday, January 26, 2005 6:41 PM
>To: Windows File Systems Devs Interest List
>Subject: Re:[ntfsd] File access in VMWare
>
>
>The filter driver runs in the VM, what I’m doing is testing the filter
>driver
>on different OS platfroms. This problem happens only on the VMWare
>share folder “.host\**”.
>So the file actually goes through the network driver hgfs.sys
>(“backdoor”),
>then was saved to the host’s hard drive, the VM local file
>system didn’t see
>this
>operation at all, it makes sense. thanks a lot.
>
>


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Using DeviceTree, can you tell us what the flags are on that device
object?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hemonth Rao
Sent: Monday, January 31, 2005 1:51 PM
To: ntfsd redirect
Subject: Re: [ntfsd] File access in VMWare

Hi Dmitriy,

I am interested in the same thing. When I try to get the device
object pointer to \Device\HGFS or ??\HGFS via
IoGetDeviceObjectPointer(), I get STATUS_ACCESS_DENIED. This is
different than other filesystems. I’m doing it in the context of a
system thread.

Does the HGFS driver allow only exclusive access? I’m only
interested in the file object / device object for it.

Hemonth

Dmitriy Budko wrote:

Your filter driver should be able to filter HGFS file system too,
it’s just another file system for for the filter.

Dmitriy Budko, VMware

>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com]On Behalf Of AFei
>Sent: Wednesday, January 26, 2005 6:41 PM
>To: Windows File Systems Devs Interest List
>Subject: Re:[ntfsd] File access in VMWare
>
>
>The filter driver runs in the VM, what I’m doing is testing the filter
>driver
>on different OS platfroms. This problem happens only on the VMWare
>share folder “.host\**”.
>So the file actually goes through the network driver hgfs.sys
>(“backdoor”),
>then was saved to the host’s hard drive, the VM local file
>system didn’t see
>this
>operation at all, it makes sense. thanks a lot.
>
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Tony,

Thanks for your interest. I had not been using DeviceTree before,
but now I see that \Device\HGFS has the EXCLUSIVE flag set, along with
DEVICE_HAS_NAME and NEITHER_IO.

Since it’s a named device and has a symlink, I thought it might
already have a handle open to it. Upon failing
IoGetDeviceObjectPointer(), I walked through the handle list using
ZwQuerySystemInformation(). Based on this struct:

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

I looked up the object names with ObQueryNameString(). I did get
sensible names. Unfortunately, none of them pertained to the HGFS driver.

By the way, \Device\HGFS is some unrecognized device object type.
However, there is another device object, \Device\hgfsInternal, which
does show up in DeviceTree and SoftICE. It doesn’t have exclusive
access, and is listed as a file system driver. DeviceTree does not show
a dependency between \Device\HGFS and \Device\hgfsInternal. Among the
characteristics for \Device\hgfsInternal, FILE_DEVICE_IS_MOUNTED is
set. Unfortunately, when I try to connect to it with
IoGetDeviceObjectPointer(), I get STATUS_OBJECT_NAME_INVALID. There
appears to be no symlink for \Device\hgfsInternal.

Hemonth

Tony Mason wrote:

Using DeviceTree, can you tell us what the flags are on that device
object?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hemonth Rao
Sent: Monday, January 31, 2005 1:51 PM
To: ntfsd redirect
Subject: Re: [ntfsd] File access in VMWare

Hi Dmitriy,

I am interested in the same thing. When I try to get the device
object pointer to \Device\HGFS or ??\HGFS via
IoGetDeviceObjectPointer(), I get STATUS_ACCESS_DENIED. This is
different than other filesystems. I’m doing it in the context of a
system thread.

Does the HGFS driver allow only exclusive access? I’m only
interested in the file object / device object for it.

Hemonth

Dmitriy Budko wrote:

>Your filter driver should be able to filter HGFS file system too,
>it’s just another file system for for the filter.
>
>Dmitriy Budko, VMware
>
>
>
>
>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com]On Behalf Of AFei
>>Sent: Wednesday, January 26, 2005 6:41 PM
>>To: Windows File Systems Devs Interest List
>>Subject: Re:[ntfsd] File access in VMWare
>>
>>
>>The filter driver runs in the VM, what I’m doing is testing the filter
>>driver
>>on different OS platfroms. This problem happens only on the VMWare
>>share folder “.host\**”.
>>So the file actually goes through the network driver hgfs.sys
>>(“backdoor”),
>>then was saved to the host’s hard drive, the VM local file
>>system didn’t see
>>this
>>operation at all, it makes sense. thanks a lot.
>>
>>
>>
>>
>—
>Questions? First check the IFS FAQ at
>
>
https://www.osronline.com/article.cfm?id=17

>You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
>
>
‘’

>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com