Filter Driver Question

NTFSD
1

Hello All,

I am trying to write a filter driver for NT/2000/XP. The idea is to hide a file/folder form a given directory. For that I have trapped the iocompletion routine using,IoSetCompletionRoutine( Irp, TrapDirectoryInfo, (void *)seq, TRUE, TRUE, TRUE );

So in routine TrapDirectoryInfo I am looking for IRP_MJ_DIRECTORY_CONTROL and minor function IRP_MN_QUERY_DIRECTORY . If found one then depending depending on the fileinformationclass, I map the userbuffer/MDL address to the respective structures like filebothdirectoryinformation. I move through the linked list and figure out the filename/directory names. If I feel to hide some file, I simply manipulate the offsets in the linked list.

My Questions:

1 Is this a good method to hide files/directories ? Will this cause any problems.
2 I want to store the file directory information to by hide in memory, do I use pagable memory or non pagable memory? If pagable memory then how do I handle pagefaults ?
3 Is there a similar way to hide folder in win 95/98/Me …i.e … after
iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
in in the hook routine for IFSFN_FINDNEXT/IFSFN_DIR etc can I do something similar ?

Regards,
Ashish
http://geocities.com/ashishparkhi

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

2

(1) If this is working for you, it seems reasonable (it certainly is
easier than repacking the buffer!)

(2) I’d suggest pageable memory. To “handle” page faults, you just
need to make sure you don’t access the data at IRQL > APC_LEVEL. Then
you’ll never even know if they occur.

(3) Perhaps someone else has a clue what this means - I avoid Win 9x
like the plague…

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Ashish Parkhi
Sent: Thursday, December 18, 2003 8:07 AM
To: ntfsd redirect
Subject: [ntfsd] Filter Driver Question

Hello All,

I am trying to write a filter driver for NT/2000/XP. The idea is to
hide a file/folder form a given directory. For that I have trapped the
iocompletion routine using,IoSetCompletionRoutine( Irp,
TrapDirectoryInfo, (void *)seq, TRUE, TRUE, TRUE );

So in routine TrapDirectoryInfo I am looking for
IRP_MJ_DIRECTORY_CONTROL and minor function IRP_MN_QUERY_DIRECTORY . If
found one then depending depending on the fileinformationclass, I map
the userbuffer/MDL address to the respective structures like
filebothdirectoryinformation. I move through the linked list and figure
out the filename/directory names. If I feel to hide some file, I simply
manipulate the offsets in the linked list.

My Questions:

1 Is this a good method to hide files/directories ? Will this cause any
problems.
2 I want to store the file directory information to by hide in memory,
do I use pagable memory or non pagable memory? If pagable memory then
how do I handle pagefaults ?
3 Is there a similar way to hide folder in win 95/98/Me …i.e …
after
iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
in in the hook routine for IFSFN_FINDNEXT/IFSFN_DIR etc can I do
something similar ?

Regards,
Ashish
http://geocities.com/ashishparkhi

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing
http:o.com> — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to
xxxxx@lists.osr.com</http:>

3

Yes on 1 and 3.
Use non-paged memory for storage of any data for 2. Unless the user
/ programmers is clumsy and puts one million files contained in a folder
instead of the folder itself the amount your will use in negligible.


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

4

Ohh - I see two problems now: hiding the first file in the buffer
and hiding all files in the buffer.


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

5

Hello Tony/Dejan
Thanks for replying.

Tony:

The trap function (TrapDirectoryInfo) that I have mentioned runs at IRQL PASSIVE_LEVEL. When I make a call to the fuction, which looks if the current directory/file matches with the ones in the memory, it runs at IRQL DISPATCH_LEVEL.

  1. Why is that so? Those functions are guarded with spin lock, is that the reason ? For what I have seen so far, is that it always runs at DISPATCH_LEVEL. So how do I guard these functions against page faults If I am using pagable memory?

Dejan:

The problems that you have mentioned, I have tried to manage them the following way.But I dont know if that will cause any memory leaks.

  1. hiding the first file in the buffer
    Lets say there are 5 files in the buffer, and I have to hide the first file/folder, In this case currently I am simply moving the address in the userbuffer/mdl ahead and pointing it to the next file in the buffer.
    (so functionally this is working…the first file is getting hidden, But I dont know about the memory leaks.)
  2. hiding all files in the buffer
    If I find that all the files/folders have to be hidden, then I am putting NULL in userbuffer/MDL.
    (so functionally this is working…all the files are getting hidden, But again I dont know about the memory leaks.)

Other Questions:

  1. If I decide to use non-paged memory, then how much of non-paged kernel mem can I use ?
  2. I have created a structure (linked list) to store the path information. The memory is dynamically allocated from nonpagedpool, will this cause any mem problem ?, I mean this memory wont be continuous, but would be scattered (this is what I feel, I am not sure)

I am new to driver writing, so I hope you all dont mind my silly questions. It would be also gr8 if some one tells me if there is any way to traverse the memory looking for files and directory in a directory in Win 98, as i am doing it on Win NT

Regards,
Ashish
http://geocities.com/ashishparkhi

Dejan Maksimovic wrote:

Ohh - I see two problems now: hiding the first file in the buffer
and hiding all files in the buffer.


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

6

> 1) hiding the first file in the buffer

Lets say there are 5 files in the buffer, and I
have to hide the first file/folder, In this case
currently I am simply moving the address in the
userbuffer/mdl ahead and pointing it to the next
file in the buffer.
(so functionally this is working…the first
file is getting hidden, But I dont know about the
memory leaks.)

I’d suggest copying the first valid entry to the
beginning of the buffer (if you need to skip the
existing first one).

  1. hiding all files in the buffer
    If I find that all the files/folders have to be
    hidden, then I am putting NULL in userbuffer/MDL.
    (so functionally this is working…all the files
    are getting hidden, But again I dont know about the
    memory leaks.)

If you hide all entries, just send the request back
down to get more.

Randy

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

7

OUCH!

The trap function (TrapDirectoryInfo) that I have mentioned runs at
IRQL PASSIVE_LEVEL. When I make a call to the fuction, which looks if
the current directory/file matches with the ones in the memory, it
runs at IRQL DISPATCH_LEVEL.

Yes, it is because of spin locks. There is no need to use spin
locks here. SL are used IFF (if and ONLY if) the memory is to be
accessed at DISPATCH_LEVEL (in FSF this virtually mean if it is accessed
from a completion routine).
If you use SL use non paged memory - if not using SL, ERESOURCE
is the way to go.

  1. hiding the first file in the buffer
    Lets say there are 5 files in the buffer, and I have to hide the
    first file/folder, In this case currently I am simply moving the
    address in the userbuffer/mdl ahead and pointing it to the next file
    in the buffer.

WOW! Wait a second - are you changing the Irp->UserBuffer or
Irp->MdlAddress from the original? You can do this while you are in your
IRP_MJ_xxx handler but you must change it back to what it was - you can
change the buffer data but not the address.

  1. hiding all files in the buffer
    If I find that all the files/folders have to be hidden, then I am
    putting NULL in userbuffer/MDL.

Again same as above.

  1. If I decide to use non-paged memory, then how much of non-paged
    kernel mem can I use ?

Like I said in my previous post, unless the programmer/user is
stupid enough to select 100,000+ files inside a directory instead of
directory itself (using wildcards) then you will be OK.

  1. I have created a structure (linked list) to store the path
    information. The memory is dynamically allocated from nonpagedpool,
    will this cause any mem problem ?, I mean this memory wont be
    continuous, but would be scattered (this is what I feel, I am not
    sure)

Do not worry about it.

It would be also gr8 if some one tells me if there is any way to
traverse the memory looking for files and directory in a directory in
Win 98, as i am doing it on Win NT

Yes, the only thing that is a bit hard for 9x is figuring how to
hide the first file.
What you do in Win9x is to trap IFSFN_FINDOPEN and
IFSFN_FINDNEXT. Let the call through, check the file name you got (you
get a single file name per call as opposed to multiple file names on NT)
and if you need to hide it, just call the function again.
Pitfalls:
During IFSFN_FINDOPEN you can’t just call the function again -
you have to call the IFSFN_FINDNEXT handler.
Do not forget to handle error returns:-)


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

8

Hello Dejan,Randy Cook

Thank you very much for the information, it was really helpful ! I am able to hide the files in win 98 as well :). And for the first file the problem is coming only if I search that particular file. e.g. if I do

dir hide*

and if thats the only file in the directory. For now I have called the function to IFSFN_FINDCLOSE in IFSFN_FINDOPEN, to hide the first file. Actually I did tried calling function for IFSFN_FINDNEXT, but it was again returning me the first file and not the second file and I dont know why.
So the drawback is that if e.g. in a directory there are more files with pattern lets say hide*, and If I havd to hide the first file, after calling IFSFN_FINDCLOSE in IFSFN_FINDOPEN, none of the other files are visible. But If I simply do “dir *” in that directory then I am able to view all the files except the file which I wanted to hide.
So thats fine for now. I will try some thing more and If any problem I’ll come back to you. :slight_smile:

Now the other problem that I am facing is that If some one uses the 8.3 file format, then the files are visible…So it is only working for long file names…to I am trying to find out a way for that as well …

One Question: In win nt if for hiding the first file I am trying to use the method mentioned by Randy Cook, that is to move the first valid file at the biginning of the buffer instead of changing the address. But if I want to hide all the files in that buffer, then cant I just not put NULL as I have already mention? As this is functionally working, what are the problems that you can foresee ?

Thanks,
Ashish

Dejan Maksimovic wrote:

OUCH!

> The trap function (TrapDirectoryInfo) that I have mentioned runs at
> IRQL PASSIVE_LEVEL. When I make a call to the fuction, which looks if
> the current directory/file matches with the ones in the memory, it
> runs at IRQL DISPATCH_LEVEL.

Yes, it is because of spin locks. There is no need to use spin
locks here. SL are used IFF (if and ONLY if) the memory is to be
accessed at DISPATCH_LEVEL (in FSF this virtually mean if it is accessed
from a completion routine).
If you use SL use non paged memory - if not using SL, ERESOURCE
is the way to go.

> 1) hiding the first file in the buffer
> Lets say there are 5 files in the buffer, and I have to hide the
> first file/folder, In this case currently I am simply moving the
> address in the userbuffer/mdl ahead and pointing it to the next file
> in the buffer.

WOW! Wait a second - are you changing the Irp->UserBuffer or
Irp->MdlAddress from the original? You can do this while you are in your
IRP_MJ_xxx handler but you must change it back to what it was - you can
change the buffer data but not the address.

> 2) hiding all files in the buffer
> If I find that all the files/folders have to be hidden, then I am
> putting NULL in userbuffer/MDL.

Again same as above.

> 1) If I decide to use non-paged memory, then how much of non-paged
> kernel mem can I use ?

Like I said in my previous post, unless the programmer/user is
stupid enough to select 100,000+ files inside a directory instead of
directory itself (using wildcards) then you will be OK.

> 2) I have created a structure (linked list) to store the path
> information. The memory is dynamically allocated from nonpagedpool,
> will this cause any mem problem ?, I mean this memory wont be
> continuous, but would be scattered (this is what I feel, I am not
> sure)

Do not worry about it.

> It would be also gr8 if some one tells me if there is any way to
> traverse the memory looking for files and directory in a directory in
> Win 98, as i am doing it on Win NT

Yes, the only thing that is a bit hard for 9x is figuring how to
hide the first file.
What you do in Win9x is to trap IFSFN_FINDOPEN and
IFSFN_FINDNEXT. Let the call through, check the file name you got (you
get a single file name per call as opposed to multiple file names on NT)
and if you need to hide it, just call the function again.
Pitfalls:
During IFSFN_FINDOPEN you can’t just call the function again -
you have to call the IFSFN_FINDNEXT handler.
Do not forget to handle error returns:-)


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

9

  1. You should try not to do anything in your filter
    that the underlying FSD would never do. Apps can and
    do call this stuff directly. They don’t have to go
    through WIN32. If you hand them something wierd and
    they don’t deal with it, then it is your bug.

  2. Even if this appears to work, it is inefficient.
    You will get called again anyway, so just do the next
    request immediately.

Also, make sure you are handling the case where a
single entry is requested.

One Question: In win nt if for hiding the first file
I am trying to use the method mentioned by Randy
Cook, that is to move the first valid file at the
biginning of the buffer instead of changing the
address. But if I want to hide all the files in that
buffer, then cant I just not put NULL as I have
already mention? As this is functionally working,
what are the problems that you can foresee ?

Thanks,
Ashish

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/