I was responding to another poster who asserted that 'burning software'
was generally well behaved. It isn't. I would agree with your analysis
that you just need a filesystem filter driver - better yet a minifilter
driver to sit at some appropriate level and forbid folks you don't like
from using the cdrom or the usb disk or whatever sort of volume it is
that you won't let them use.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James Dunning
Sent: Tuesday, December 13, 2005 10:01 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Filter Driver
I thought that a majority of antivirus file system filter drivers
generally
attached themselves on top of the filesystem?
< IO MANAGER >
< ANTI VIRUS FILESYSTEM FILTER DRIVER >
< ENCRYPTION FILESYSTEM FILTER DRIVER >
< OTHER FILESYSTEM FILTER DRIVER >
------------------------------------------ FILE SYSTEMS
< FAT32 > < NTFS > < RDR REDIRECTOR >
------------------------------------------ IO DEVICES
< CDROM > < USB > < FLOPPY > < HARD DISK > < Network >
I get the impression if I wanted to write a security product to restrict
the
access to any IO Devices, such as Floppy, CD ROM, or USB, then I would
be
better off writing a lower filter driver of the IO DEVICES, so that I
can
process the SRB. Based on this, what advantages does processing the SERB
(SCSI Request Block) give me?
Is isn't it possible to block and restrict ReadFile WriteFile CreateFile
calls
to the CDROM or Floppy by attaching a filesystem filter driver on top of
the
"Anti virus filesystem filter driver" directly below the "IO Manager"?
Regards
James
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mark Roddy
Sent: 13 December 2005 02:24
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Filter Driver
Well actually it is exactly 'burning software' I was referring to and
some
of it is crap and does behave exactly this way. It was just a friendly
piece
of advice for whomever is setting out down the filtering the cd/dvd
burning
path. Ignore as you see fit. Bus filters are perfect only if everybody
above
them is perfect.
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ZG
Sent: Monday, December 12, 2005 6:07 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Filter Driver
Yes. Some programs may even communicate directly with PCI
chipset. Anyway, most of burning software don't work in that way.
--
Regards,
ZG [@ Sydney]
Windows Driver Developer
"Roddy, Mark" wrote in message
> news:xxxxx@ntdev...
> Even a bus filter driver may not capture all IO operations
> sent to PDOs due to non-standard behavior of upper level
> drivers. Not that this isn't a good way to go, just that
> there are products out there in this area that think it is a
> good idea to send their IO requests directly to the PDO, not
> 'down the stack'.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of ZG
> Sent: Monday, December 12, 2005 6:27 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Filter Driver
>
> If you're making a security product, lower is better. So, a
> lower filter of disk/cdrom is better if you can process SRB.
> But in fact, if you have experiences of driver developing, a
> bus filter driver of
> IDE/SCSI/USB/1394
> is really perfect.
>
> --
>
> Regards,
> ZG [@ Sydney]
> Windows Driver Developer
>
>
> "James Dunning" wrote
> in message news:xxxxx@ntdev...
> > What kind of Filter Driver would I need to write to capture
> read/write
>
> > IRPs
> > sent to a floppy disk, CD/DVD and USB disks, regardless of
> filesystem
> > FAT32
> > CDFS and NTFS?
> >
> > I initially thought you would require a filesystem filter
> driver, not
> > understanding filter drivers, would this filesystem filter
> driver be
> > attached to all filesystem drivers, at it's upper layer?
> >
> > Second question, given that you have an IoStack, and IRP request
> packet
> > during a dispatch request (IRP_MJ_CREATE, IRP_MJ_READ or
> _IRP_MJ_WRITE)
> > how
> > can u determine what source the request came from? floppy, cd/dvd or
> USB
> > disk?
> >
> > Regards
> > This email and any files attached are intended for the addressee and
> may
> > contain information of a confidential nature. If you are not the
> intended
> > recipient, be aware that this email was sent to you in
> error and you
> > should not disclose, distribute, print, copy or make other
> use of this
> > email
> or
> > its
> > attachments. Such actions, in fact, may be unlawful. In compliance
> with
> > the various Regulations and Acts, General Dynamics UK
> Limited reserves
> the
> > right to monitor (and examine for viruses) all emails and email
> > attachments, both inbound and outbound. Email communications and
> > their attachments
> may
> > not be secure or error- or virus-free and the company does
> not accept
> > liability or responsibility for such matters or the consequences
> thereof.
> > Registered Office: 100 New Bridge Street, London EC4V 6JA.
> Registered
> in
> > England and Wales No: 1911653.
> >
> >
>
>
>
> ---
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
>
> ---
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as:
xxxxx@generaldynamics.uk.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
This email and any files attached are intended for the addressee and may
contain information of a confidential nature. If you are not the
intended
recipient, be aware that this email was sent to you in error and you
should
not disclose, distribute, print, copy or make other use of this email or
its
attachments. Such actions, in fact, may be unlawful. In compliance
with
the various Regulations and Acts, General Dynamics UK Limited reserves
the
right to monitor (and examine for viruses) all emails and email
attachments,
both inbound and outbound. Email communications and their attachments
may
not be secure or error- or virus-free and the company does not accept
liability or responsibility for such matters or the consequences
thereof.
Registered Office: 100 New Bridge Street, London EC4V 6JA. Registered
in
England and Wales No: 1911653.
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
