If the question is: “Can I read files from kernel mode” the answer is
“yes”. If the question is: “Are their existing libraries that analyze a
file and tell me its type from kernel mode” the answer is “not as part
of the OS itself”.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: Friday, October 15, 2004 2:33 AM
To: ntfsd redirect
Subject: RE: [ntfsd] File Type
Thanks Jamey,
you can read n bytes from the front of the file and use some heuristics
to determine what the file might be. EXE, DLL, and other Windows
binaries are easy to detect by looking for a PE style header.
Can I do this through Kernel mode??
anurag
-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Thursday, October 14, 2004 10:15 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] File Type
Inherent in the architecture, the FSD knows nothing about file types.
You will have to do this all for yourself. For example, you can read n
bytes from the front of the file and use some heuristics to determine
what the file might be. EXE, DLL, and other Windows binaries are easy to
detect by looking for a PE style header.
There are some good documents floating around on the Net that will give
you a wealth of information on various file types and their associated
signatures (headers).
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: Thursday, October 14, 2004 2:14 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] File Type
Hello all,
I am making a filter driver in Win2k .
I have dispatch routines of IRP_MJ_CREATE, IRP_MJ_WRITE,
IRP_MJ_SET_INFORMATION and IRP_MJ_DIRECTORY_CONTROL .
What is the best way to find the type of files on the IRP stack ?
I want to do different operations with different kinds of files like
registry files
Eg. \WINNT\SYSTEM32\CONFIG
System files
Eg NTDETECT.COM , BOOT.INI , MSDOS.SYS etc
Temp files
Eg. ~wrtxxx.tmp etc
My unique name files
Eg. \mybuffer\myuniquefilename etc
Notron antivirus files
Eg. \SYMANT~1\VIRUSD~1\ etc
I am presently taking the name in the unicode string from IRP stack and
using sub string compare functions like
wcsstr ( U_FullFileName_New.Buffer , L"\MSDOS.SYS" ) != NULL ) I am
aware of FsRtlIsNameInExpression also.
I am wondering any better way as a best practice suggested. I suppose
comparing there names to find type of file is not always a good idea.
Any Ideas??
regards
Anurag
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
__________ NOD32 1.860 (20040903) Information __________
This message was checked by NOD32 antivirus system. http://www.nod32.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@divassoftware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com