Hi all,
I?m developing a file system filter driver which is a kind of
“secondary ACL layer”. If Windows ACL allows the access for a file or
directory, the request is sent to I/O Manager which will designate it
to the device driver. My filter driver intercepts the MJ_CREATE
request. I am having a problem at this time: if I don?t send this
request to the device driver ( IoCallDriver() ) I cannot identify
which file the UserMode requested, because the handle of the file is
not opened. So, before the IoCallDriver() I set my completion routine,
which will be called after the device driver opens the requested file.
Now in my completion routine, I have the access to the opened file
name which I can compare with some protected files and folders
(dynamically loaded from the registry). But a major problem occurs
when I deny the access in the Irp->IoStatus.Status as following:
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
Irp->IoStatus.Information = 0;
To illustrate the problem i will show it in a logical sequence on the
“Command Prompt”:
. . . . … . . . .
* I set my registry to deny the DELETE operation for the file
“C:\Temp\Myfile.txt”. Everyone can read, write, append, except delete.
C:\TEMP> type file.txt
This is my content.
C:\TEMP> type file.txt
This is my content.
C:\TEMP> del file.txt
C:\TEMP\file.txt
Access Denied.
C:\TEMP> type arquivo.txt
File is in use by another process.
. . . . … . . . .
In my point of view, this happens because FILE_OBJECT in the Irp still
opened. I cannot only DENY the request I need to CLOSE the FILE_OBJECT
returned from the device driver call before complete the request (
IoCompleteRequest() ).
But how can I do this?!?
Best regards,
Gabriel Montenegro
* gabriel.montenegro.dev (at) gmail.com
* Res: +55 61 3381-3470
* Com: +55 61 3316-3604
* Cel: +55 61 8142-3297
If you can do a mini-filter, all of this will be much,
much easier.
You can determine the name of the file before it is
opened in most cases. I believe this is in the FAQ.
It is a real pain to get right.
You can also cancel the open which according to others
here is problematic. Most likely there have been many
discussions on this previously. Search the archives
for the details.
If you want to fail delete operations, you’ll need to
handle both of the direct methods of deletion (open
with delete on close flag set and setinformation) and
then you’ll need to think how you want to handle all
of the other things that can be done to a file that
effectively “delete” the file. Open with overwrite
flag, rename, etc…
— Gabriel Montenegro
wrote:
> Hi all,
>
> I´m developing a file system filter driver which is
> a kind of
> “secondary ACL layer”. If Windows ACL allows the
> access for a file or
> directory, the request is sent to I/O Manager which
> will designate it
> to the device driver. My filter driver intercepts
> the MJ_CREATE
> request. I am having a problem at this time: if I
> don´t send this
> request to the device driver ( IoCallDriver() ) I
> cannot identify
> which file the UserMode requested, because the
> handle of the file is
> not opened. So, before the IoCallDriver() I set my
> completion routine,
> which will be called after the device driver opens
> the requested file.
> Now in my completion routine, I have the access to
> the opened file
> name which I can compare with some protected files
> and folders
> (dynamically loaded from the registry). But a major
> problem occurs
> when I deny the access in the Irp->IoStatus.Status
> as following:
>
> Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
> Irp->IoStatus.Information = 0;
>
> To illustrate the problem i will show it in a
> logical sequence on the
> “Command Prompt”:
>
> . . . .
> … . .
> . .
>
> * I set my registry to deny the DELETE operation for
> the file
> “C:\Temp\Myfile.txt”. Everyone can read, write,
> append, except delete.
>
> C:\TEMP> type file.txt
> This is my content.
> C:\TEMP> type file.txt
> This is my content.
> C:\TEMP> del file.txt
> C:\TEMP\file.txt
> Access Denied.
>
> C:\TEMP> type arquivo.txt
> File is in use by another process.
>
> . . . .
> … . .
> . .
>
>
> In my point of view, this happens because
> FILE_OBJECT in the Irp still
> opened. I cannot only DENY the request I need to
> CLOSE the FILE_OBJECT
> returned from the device driver call before complete
> the request (
> IoCompleteRequest() ).
>
> But how can I do this?!?
>
>
> Best regards,
>
> Gabriel Montenegro
> * gabriel.montenegro.dev (at) gmail.com
> * Res: +55 61 3381-3470
> * Com: +55 61 3316-3604
> * Cel: +55 61 8142-3297
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
To close opened file you can use IoCancelFileOpen. But before to use this
function read some articles at OSR about how to close opened files in you
filter. I notice what in XP SP2 close
request is postponed, while in early versions it is sended from
IoCancelFileOpen after cleanup request.
“Gabriel Montenegro” wrote in message
news:xxxxx@ntfsd…
Hi all,
I´m developing a file system filter driver which is a kind of
“secondary ACL layer”. If Windows ACL allows the access for a file or
directory, the request is sent to I/O Manager which will designate it
to the device driver. My filter driver intercepts the MJ_CREATE
request. I am having a problem at this time: if I don´t send this
request to the device driver ( IoCallDriver() ) I cannot identify
which file the UserMode requested, because the handle of the file is
not opened. So, before the IoCallDriver() I set my completion routine,
which will be called after the device driver opens the requested file.
Now in my completion routine, I have the access to the opened file
name which I can compare with some protected files and folders
(dynamically loaded from the registry). But a major problem occurs
when I deny the access in the Irp->IoStatus.Status as following:
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
Irp->IoStatus.Information = 0;
To illustrate the problem i will show it in a logical sequence on the
“Command Prompt”:
. . . . … . . . .
* I set my registry to deny the DELETE operation for the file
“C:\Temp\Myfile.txt”. Everyone can read, write, append, except delete.
C:\TEMP> type file.txt
This is my content.
C:\TEMP> type file.txt
This is my content.
C:\TEMP> del file.txt
C:\TEMP\file.txt
Access Denied.
C:\TEMP> type arquivo.txt
File is in use by another process.
. . . . … . . . .
In my point of view, this happens because FILE_OBJECT in the Irp still
opened. I cannot only DENY the request I need to CLOSE the FILE_OBJECT
returned from the device driver call before complete the request (
IoCompleteRequest() ).
But how can I do this?!?
Best regards,
Gabriel Montenegro
* gabriel.montenegro.dev (at) gmail.com
* Res: +55 61 3381-3470
* Com: +55 61 3316-3604
* Cel: +55 61 8142-3297