Hi,
I am new to Windows Programming. And currently I am working on developing a File System Filter Driver using C++ to check the Directory Modififications (say Files Added/Modified/Deleted/Renamed requests). My concern is, if I receive a ‘ADD File’ request (say a new file is added), just I need to write the full path of the filename in a text file. Thats all.
Please check the following things what I have understand regarding the Filter Driver.
I need to create a MiniFilter Code, and once I compile I will have a ‘.sys’ file. I need to install it by the following steps:
sc create testFilter type=filesys binPath= c:\testFilter.sys (Register as a service)
sc start testFilter -> To Load the Driver. Hope it will start the Driver code. And it will call DriverEntry code which will automatically get the DriverObject and RegistryPath of the Driver.
sc stop FsFilter -> Used to Unload the Driver
sc delete FsFilter -> Used to Delete the Driver
The Driver Code should have the following functions:
- DriverEntry -> Which is similar to our Main() function.
- Inside DriverEntry I need to call the following operations:
?? ?FltRegisterFilter();
?? ?FltStartFiltering();
Based on documentation, ‘FltStartFiltering’ will ‘ready the Mini Filter to begin attaching to volumes and filtering I/O requests’ (from FilterDriverDevelopeGuide. Hence, I thought after calling the ‘FltStartFiltering’ code, I need to attach the available drivers by using the ‘FltAttachVolume’ or ‘FltAttachVolumeAtAltitude’. But when go through the ‘FilterSpy’ code and the ‘CaptureFileMonitor’ code, I could not see the step. Hence, now I assume FltStartFiltering() will monitor all the available drives and report notifications. In this case, I am not aware how to get the Exact file Names which are added/modified. The FltStartFiltering only returns STATUS_SUCCESS.
Or Otherwise, I have to get notifications from PreOperation and PostOperation callbackups in FltRegisterFilter.
Please clarify me the above things.
Thanks in Advance,
Ashar.
First any file system filter is one of the hardest things in kernel
programming, so please consider stepping back and learning some basics
before jumping into the hard stuff. Second, using C++ adds a bunch of
additional challenges to driver development see
http://www.microsoft.com/whdc/driver/kernel/KMcode.mspx but as a newbie I
seriously cannot recommend going there.
If you want to go down this path take the filespy example and setup a test
machine and put Windbg on your development machine and use that to learn
what is going on. You need to be installing and starting this with an INF
file not the service control stuff. Also, you need to learn what the
requests look like, you are going to be processing a fair number of
operations, this is where filespy is a good way to start.
Seriously, unless you really need this for employment, step back and try
something a lot simpler for your first efforts.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“ash ar” wrote in message news:xxxxx@ntfsd…
Hi,
I am new to Windows Programming. And currently I am working on developing a
File System Filter Driver using C++ to check the Directory Modififications
(say Files Added/Modified/Deleted/Renamed requests). My concern is, if I
receive a ‘ADD File’ request (say a new file is added), just I need to write
the full path of the filename in a text file. Thats all.
Please check the following things what I have understand regarding the
Filter Driver.
I need to create a MiniFilter Code, and once I compile I will have a ‘.sys’
file. I need to install it by the following steps:
sc create testFilter type=filesys binPath= c:\testFilter.sys (Register as a
service)
sc start testFilter -> To Load the Driver. Hope it will start the Driver
code. And it will call DriverEntry code which will automatically get the
DriverObject and RegistryPath of the Driver.
sc stop FsFilter -> Used to Unload the Driver
sc delete FsFilter -> Used to Delete the Driver
The Driver Code should have the following functions:
1. DriverEntry -> Which is similar to our Main() function.
2. Inside DriverEntry I need to call the following operations:
FltRegisterFilter();
FltStartFiltering();
Based on documentation, ‘FltStartFiltering’ will ‘ready the Mini Filter to
begin attaching to volumes and filtering I/O requests’ (from
FilterDriverDevelopeGuide. Hence, I thought after calling the
‘FltStartFiltering’ code, I need to attach the available drivers by using
the ‘FltAttachVolume’ or ‘FltAttachVolumeAtAltitude’. But when go through
the ‘FilterSpy’ code and the ‘CaptureFileMonitor’ code, I could not see the
step. Hence, now I assume FltStartFiltering() will monitor all the available
drives and report notifications. In this case, I am not aware how to get the
Exact file Names which are added/modified. The FltStartFiltering only
returns STATUS_SUCCESS.
Or Otherwise, I have to get notifications from PreOperation and
PostOperation callbackups in FltRegisterFilter.
Please clarify me the above things.
Thanks in Advance,
Ashar.
Information from ESET NOD32 Antivirus, version of virus signature
database 4596 (20091111)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4596 (20091111)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
(deleted due to blatant marketing content)
This is the second time you have done this and if nobody else will say it I
will:
Please do not use this list to troll for business
A lot of people (including the ones who so graciously host this site) avoid
using this newsgroup to market their products & services. They refrain from
doing so not just because it’s in the rules (which it is) but because we
appreciate the higher signal to noise ratio that happens when people stick
to technology.
Rod
Perhaps the mods like want to lock this thread or at least repost the rules.
Given that you are new to Windows development, it would take you about a
year to get your task done. Consider using CallbackFilter (
http://www.eldos.com/cbflt/ ) that does all job for you and lets you write
code in user mode.
Sincerely yours,
Eugene Mayevski
Hi,
I tried to write sample Filter Driver program to monitor the file notifications. I have tried to write the Added/Modified file names in the filter Driver code. I add fopen() code in the?PFLT_PRE_OPERATION_CALLBACK … But when compiling the driver code, I receive a
linker error, say ‘Unresolved external symbol __imp__fopen referenced in function _PreFileOperation’
Could any one clarify me, whether I need to add any libraries in ‘sources’ file or anything else I need to do.
Thanks
Ashar.
— On Thu, 11/12/09, xxxxx@eldos.org wrote:
From: xxxxx@eldos.org
Subject: RE:[ntfsd] File System Filter Driver
To: “Windows File Systems Devs Interest List”
Date: Thursday, November 12, 2009, 12:54 AM
Given that you are new to Windows development, it would take you about a year to get your task done. Consider using CallbackFilter ( http://www.eldos.com/cbflt/ ) that does all job for you and lets you write code in user mode…
Sincerely yours,
Eugene Mayevski
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
You cannot use fopen or almost any of the user space C runtime library in
the kernel. You really need to step back and try some simple things first.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“ash ar” wrote in message news:xxxxx@ntfsd…
Hi,
I tried to write sample Filter Driver program to monitor the file
notifications. I have tried to write the Added/Modified file names in the
filter Driver code. I add fopen() code in the PFLT_PRE_OPERATION_CALLBACK …
But when compiling the driver code, I receive a
linker error, say ‘Unresolved external symbol imp fopen referenced in
function _PreFileOperation’
Could any one clarify me, whether I need to add any libraries in ‘sources’
file or anything else I need to do.
Thanks
Ashar.
— On Thu, 11/12/09, xxxxx@eldos.org wrote:
From: xxxxx@eldos.org
Subject: RE:[ntfsd] File System Filter Driver
To: “Windows File Systems Devs Interest List”
Date: Thursday, November 12, 2009, 12:54 AM
Given that you are new to Windows development, it would take you about a
year to get your task done. Consider using CallbackFilter (
http://www.eldos.com/cbflt/ ) that does all job for you and lets you write
code in user mode…
Sincerely yours,
Eugene Mayevski
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Information from ESET NOD32 Antivirus, version of virus signature
database 4612 (20091116)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4612 (20091116)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
You should listen to Don’s advice seriously.
You need to start with the basics.
Forget C++ and forget FS Mini-Filters/Filters for the moment.
Start with basic Windows OS and Driver concepts.
Then move on to File system and mini-filters.
Go step by step, do not be impatient and skip stuff.