I have modified the DDK scanner sample to monitor file writes. This works fine if I try to create or write using NotePad or WordPad but if I simply copy a file using Explorer it is not detected. Surely Explorer has to write to the directory when it is doing the copy. Any ideas as to how to modify the driver to detect this? Thanks!
xxxxx@hotmail.com wrote:
I have modified the DDK scanner sample to monitor file writes. This works fine if I try to create or write using NotePad or WordPad but if I simply copy a file using Explorer it is not detected. Surely Explorer has to write to the directory when it is doing the copy. Any ideas as to how to modify the driver to detect this? Thanks!
Have you tried to monitor the requests using filespy? This will tell you
the operations which are happening to the underlying file system. You
can then correlate these to what you are seeing in your filter.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Thanks for the suggestion. I did a test and attempted to write a new file from WordPad. In my driver I was sucessful in killing the write of the contents but a zero byte file was written to the directory. FileSpy reports the STATUS_ACCESS_DENIED
249 11:45:13.847 1 WORDPAD.EXE 3448 8FC93348 IRP 903FBD58 IRP_MJ_CREATE 00000884 00000000 9033C990 00000000 00000000 00000002 00000000 C:\transfer\qwer.txt STATUS_ACCESS_DENIED FILE_CREATE CreOpts: 00000060 Access: 00120196 Share: 00000003 Attrib: 00000080
But there are 4 subsequent sets of lines from Explorer.exe like this:
250 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CREATE 00000884 00000000 902F8F80 B0ADBD08 AC6B97E8 00000002 00000000 C:\transfer STATUS_SUCCESS FILE_OPEN CreOpts: 00000020 Access: 00100081 Share: 00000007 Attrib: 0 Result: FILE_OPENED
251 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00060800 00000000 902F8F80 B0ADBD08 AC6B97E8 00040002 00000000 C:\transfer STATUS_SUCCESS FileIdBothDirectoryInformation FileMask: qwer.txt
252 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CLEANUP 00000404 00000000 902F8F80 B0ADBD08 AC6B97E8 00040002 00000000 C:\transfer STATUS_SUCCESS
253 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CLOSE 00000404 00000000 902F8F80 B0ADBD08 AC6B97E8 00044002 00000000 C:\transfer STATUS_SUCCESS
I don’t understand what they mean, however the file I was trying to create from wordpad is mentioned. It’s almost as if the activity from Explorer.exe is never getting passed to my driver.
xxxxx@hotmail.com wrote:
Thanks for the suggestion. I did a test and attempted to write a new file from WordPad. In my driver I was sucessful in killing the write of the contents but a zero byte file was written to the directory. FileSpy reports the STATUS_ACCESS_DENIED
249 11:45:13.847 1 WORDPAD.EXE 3448 8FC93348 IRP 903FBD58 IRP_MJ_CREATE 00000884 00000000 9033C990 00000000 00000000 00000002 00000000 C:\transfer\qwer.txt STATUS_ACCESS_DENIED FILE_CREATE CreOpts: 00000060 Access: 00120196 Share: 00000003 Attrib: 00000080
But there are 4 subsequent sets of lines from Explorer.exe like this:
250 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CREATE 00000884 00000000 902F8F80 B0ADBD08 AC6B97E8 00000002 00000000 C:\transfer STATUS_SUCCESS FILE_OPEN CreOpts: 00000020 Access: 00100081 Share: 00000007 Attrib: 0 Result: FILE_OPENED
251 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00060800 00000000 902F8F80 B0ADBD08 AC6B97E8 00040002 00000000 C:\transfer STATUS_SUCCESS FileIdBothDirectoryInformation FileMask: qwer.txt
252 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CLEANUP 00000404 00000000 902F8F80 B0ADBD08 AC6B97E8 00040002 00000000 C:\transfer STATUS_SUCCESS
253 11:45:15.353 0 Explorer.EXE 5108 8FC93348 IRP 90849808 IRP_MJ_CLOSE 00000404 00000000 902F8F80 B0ADBD08 AC6B97E8 00044002 00000000 C:\transfer STATUS_SUCCESSI don’t understand what they mean, however the file I was trying to create from wordpad is mentioned. It’s almost as if the activity from Explorer.exe is never getting passed to my driver.
You need to realize that all applications are not created the same. Some
applications perform their writes and just believe they worked, others
perform directory queries and check the returned file size to see if the
writes worked, yet others make copies of the file before performing the
IO and compare these once the write completes. There are a myriad of
methods employed by the developers of these applications to check
whether the IO actually did complete correctly.
As for the zero byte file being created after you failed the IO, well
the file did get created, you did not fail that request. I am also
guessing that the above trace is not the full picture.
But why do you think that the activity from Explorer is not getting
passed to your filter?
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
I failed the IO from WordPad item 249 above (and WordPad said it couldn’t write to the directory) but the file got created non the less. So based on what you said, am I stuck in not being able to definitively preventing writes (file creates) to that directory?
I have debug in the driver and it never sees any access by Explorer (just by other EXEs). Can there be something special about it?
Thanks for your help!
I should have added in the driver I have callbacks for
{ IRP_MJ_CREATE,
0,
NULL,
ScannerPostCreate},
{ IRP_MJ_WRITE,
0,
ScannerPostWrite,
NULL}
Perhaps I need a PreCreate callback on the IRP_MJ_CREATE? I’ve done a bit of experimentation to determine where I need to intercept but maybe don’t have it correct.
xxxxx@hotmail.com wrote:
I failed the IO from WordPad item 249 above (and WordPad said it couldn’t write to the directory) but the file got created non the less. So based on what you said, am I stuck in not being able to definitively preventing writes (file creates) to that directory?
I have debug in the driver and it never sees any access by Explorer (just by other EXEs). Can there be something special about it?
I think you might be confusing a ‘write to a directory’ with a file
being created, possibly? If you are intending to disallow the creation
of the file then you need to fail the IRP_MJ_CREATE or the PreCreate
handler in the mini filter model. By the time the write comes around the
file has already been created.
You can also fail the IRP_MJ_CREATE on completion, or the post create
handler, but you will need to perform some cleanup to delete the file
that was created. As well, you could detect you would like to not have
the file persisted during a write, maybe based on some content control
policy of the write buffer, but again this would require you to perform
cleanup and delete the file since it has already been created.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
xxxxx@hotmail.com wrote:
I should have added in the driver I have callbacks for
{ IRP_MJ_CREATE,
0,
NULL,
ScannerPostCreate},{ IRP_MJ_WRITE,
0,
ScannerPostWrite,
NULL}Perhaps I need a PreCreate callback on the IRP_MJ_CREATE? I’ve done a bit of experimentation to determine where I need to intercept but maybe don’t have it correct.
Right, see my earlier response. If you want to disallow the creation of
the file then register for a precreate handler and fail the precreate
request. You can also fail at other points with the caveats I explained
in the previous response.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295