File Filter Monitor

All,

I’ve embarked on a file filter driver project and would like to get all my
ducks in a row before I jump into the wrong model.

What the driver is:

  1. A filter that will monitor files being opened
  2. Determine if they are a EXE
  3. Look at the header of the file
  4. Depending on #3 if a match is found display a dialog
    to the user to continue or stop the file from opening.

What I’ve done:

  1. Worked with an antivirus company years ago and wrote the low
    level device driver for DOS, Win3.x.
  2. Wrote WDM Audio Device Drivers.
  3. Discovered the IFS Kit from MS, purchased, installed and have studied.
  4. Searched this newsgroup for Q/A.
  5. Have the latest SoftIce stuff for Win2k.

What I think I need:

  1. System Kernel Driver based on SFilter.
  2. User mode driver for dialog box?
  3. Help on direction? Suggestions of where I may find someone to help
    out.

Feel free to email and/or call me.

Best Regards,
Carlton
440-717-7510 x 110


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> What the driver is:

  1. A filter that will monitor files being opened
  2. Determine if they are a EXE
  3. Look at the header of the file
  4. Depending on #3 if a match is found display a dialog
    to the user to continue or stop the file from opening.

A filter driver can filter these main events :
IRP_MJ_CREATE

IRP_MJ_CREATE_NAMED_PIPE
IRP_MJ_CLOSE
IRP_MJ_READ
IRP_MJ_WRITE

IRP_MJ_QUERY_INFORMATION

IRP_MJ_SET_INFORMATION
IRP_MJ_QUERY_EA
IRP_MJ_SET_EA
IRP_MJ_FLUSH_BUFFERS

IRP_MJ_QUERY_VOLUME_INFORMATION

IRP_MJ_SET_VOLUME_INFORMATION

IRP_MJ_DIRECTORY_CONTROL

IRP_MJ_FILE_SYSTEM_CONTROL

IRP_MJ_DEVICE_CONTROL

IRP_MJ_INTERNAL_DEVICE_CONTROL
IRP_MJ_SHUTDOWN
IRP_MJ_LOCK_CONTROL
IRP_MJ_CLEANUP

IRP_MJ_CREATE_MAILSLOT

IRP_MJ_QUERY_SECURITY
IRP_MJ_SET_SECURITY
IRP_MJ_QUERY_POWER
IRP_MJ_SET_POWER
IRP_MJ_DEVICE_CHANGE
IRP_MJ_QUERY_QUOTA
IRP_MJ_SET_QUOTA
IRP_MJ_PNP_POWER

IRP_MJ_MAXIMUM_FUNCTION

Filter Driver doesnt not identify wheather file is EXE or not. But u can
identify by trapping above events.

I feel For displaying the Dialog u can interact with Front-end application.

What I’ve done:

  1. Worked with an antivirus company years ago and wrote the low
    level device driver for DOS, Win3.x.
  2. Wrote WDM Audio Device Drivers.
  3. Discovered the IFS Kit from MS, purchased, installed and have studied.
  4. Searched this newsgroup for Q/A.
  5. Have the latest SoftIce stuff for Win2k.

I have DDK,VC++,MS-Tools,SoftIce,IFS Kit These things are enough.

What I think I need:

  1. System Kernel Driver based on SFilter.
  2. User mode driver for dialog box?
  3. Help on direction? Suggestions of where I may find someone to help
    out.

Feel free to email and/or call me.

I am refering Rajeev nagars book and his sample Filter Driver.

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com