File system Filter Driver problem

suresh_vishnoi · February 17, 2010, 12:43am

Hi all,

I am writing a file system filter driver where the actual need is to redirect files based on some extension. for example, if I intercept any request for file called c"\d.mp3, I will redirect it to D:\d.mp3. where D:\ is hidden to explorer using grup policy settings. It works fine.

But when Query directory request comes, these files are not shown as part of C:.
I tried intercepting and modifying directory control request on FSFilter driver in a way that when it is finished with C:\ ,it send Irp to D:, But no success.

I am using Sfilter source code as base code.

I hope it is understandable. if you know better approach please let me know. Any help is welcomed.

Thanks
~Suresh

Aditya_Shrivastava · February 17, 2010, 6:57am

I wonder when you said that “if I intercept any request for file called c”\d.mp3, I will redirect it to D:\d.mp3. where D:\ is hidden to explorer using grup policy settings. It works fine. "

AFAIK it should not work across volumes. anyways

you can create an IRP (directory control) and send it to the d:'s device object. when done you can copy the data to the original IRP buffer. *you* will handle every thing here.

I think preferred way of doing it is reparse point(your effort will be less in compare witht he previous approach) though I am not completely aware abt this, so you better investigate first or wait for Ayush to reply.

Aditya

OSR_Community_User · February 17, 2010, 12:37pm

I would expect you need to handle the query directory and combine the results from the two operations. This is one of those operations that makes filters complicated - you basically need the handling of a file system for the directory enumeration operations. In our own work, we’ve found it necessary to build a cache of this information in order to make this sufficiently fast, although we have a more complex case than you do (we have to change attributes and size information of the directory entries.)

Tony
OSR

Ayush_Gupta-2 · February 18, 2010, 3:07pm

Well, ofcourse you need to handle IRP_MJ_DIRECTORY_CONTROL. Make sure that
you use the *correct* instance since your “other” directory is on a
different volume. Also, if you start from top of the stack on that volume,
there is a possibility that other minifilter that has an altitude > than
your minifilter’s altitude might fudge the results. So, you need to be
careful and use “your” instance for the other volume while issuing
FltQueryDirectoryFile. Moreover, for OS version < Vista, you need to build
your own FltQueryDirectoryFile.

An interesting feature of IRP_MJ_DIRECTORY_CONTROL is the SL_INDEX_SPECIFIED
flag and the index. If this flag is set, the FileIndex parameter has to be
used. So, remember to test your filter with NTVDM because no other API can
specify this flag or parameter.
In the same context, I would like to ask someone from MS/ or anyone who has
dealt with this thing before: Why was this parameter even provided when even
NtQueryDirectoryFile does not provide a way to set it?

Regards,
Ayush Gupta
AI Consulting

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-401675-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, February 17, 2010 5:28 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] File system Filter Driver problem

I wonder when you said that “if I intercept any request for file called
c”\d.mp3, I will redirect it to D:\d.mp3. where D:\ is hidden to
explorer using grup policy settings. It works fine. "

AFAIK it should not work across volumes. anyways

you can create an IRP (directory control) and send it to the d:'s
device object. when done you can copy the data to the original IRP
buffer. *you* will handle every thing here.

I think preferred way of doing it is reparse point(your effort will be
less in compare witht he previous approach) though I am not completely
aware abt this, so you better investigate first or wait for Ayush to
reply.

Aditya

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · February 18, 2010, 7:00pm

Current versions of SRV will use SL_INDEX_SPECIFIED (been there, done that, debugged it.) But indeed, NTVDM also does it - and there is no mechanism for doing it via the native API (since SL_INDEX_SPECIFIED can only be built “in kernel” at present.)

I believe this was originally added to support NTVDM (which does use it) and of course SRV now uses it (because it’s there, perhaps) but apparently it wasn’t invented early enough to get it added to the obvious native call.

Tony
OSR

suresh_vishnoi · February 19, 2010, 12:25am

hello Aditya,Tony and Ayush,

Thanks a lot for you valunerable inputs.
for feasibility test, I did following three steps:
Whenever Dircontrol request returns STATUS_NO_MORE_FILES, I send ZwQueryDirectoryFile to other volumes and copy output data to Irp’s buffer. It worked. I need to look into FltQueryDirectoryFile function.

in ZwCreatefile, Is it necessary that Object Path name must be “\Device\HardDiskVolume2” instead “D:\”?

Again thanks for quick responses.

OSR Addict,
Suresh Vishnoi