Hi,
I have a question concerning some filter development
on Windows XP.
Basically I’m monitoring IRP requests that pass
through the IO stack. Specifically using the filter
manager and capture the IRP_CREATE requests.
The problem is that I’ve been tasked to grab the
directory contents from the directorys that get
created. Not that trivial since I’m a novice in this
arena.
Ok upon grabbing the post creation request from the
filter manager I determine that the file created is
indeed a directory. I then attempt to send
IRP_DIRECTORY_CONTROL and with the MINORFUNCTION
IRP_MN_QUERY_DIRECTORY and using the
FILE_INFORMATION_CLASS FileBothDirectoryInformation.
Ok it does something, but like always in the beginning
not what I intended.
It returns a file attribute of directory, well that
OK. The filename is ‘.’ and with NextEntryOffset as 0.
Not what I wanted. It looks like its returning some
top level directory?
I wanted to see a valid NextEntryOffset to a normal
file.
Any ideas of whether this is the right approach. I’m
starting to think that I cannot grab the contents of a
directory whilst its being created?
Thanks,
Garyc
At post creation time, the directory will be empty. You need to check at
post creation if the file is in a directory of interest. Of course you
will also need to handle the rename/move case to catch files that way.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“gary clark” wrote in message news:xxxxx@ntfsd…
> Hi,
>
> I have a question concerning some filter development
> on Windows XP.
>
> Basically I’m monitoring IRP requests that pass
> through the IO stack. Specifically using the filter
> manager and capture the IRP_CREATE requests.
>
> The problem is that I’ve been tasked to grab the
> directory contents from the directorys that get
> created. Not that trivial since I’m a novice in this
> arena.
>
> Ok upon grabbing the post creation request from the
> filter manager I determine that the file created is
> indeed a directory. I then attempt to send
> IRP_DIRECTORY_CONTROL and with the MINORFUNCTION
> IRP_MN_QUERY_DIRECTORY and using the
> FILE_INFORMATION_CLASS FileBothDirectoryInformation.
>
> Ok it does something, but like always in the beginning
> not what I intended.
> It returns a file attribute of directory, well that
> OK. The filename is ‘.’ and with NextEntryOffset as 0.
> Not what I wanted. It looks like its returning some
> top level directory?
>
> I wanted to see a valid NextEntryOffset to a normal
> file.
>
> Any ideas of whether this is the right approach. I’m
> starting to think that I cannot grab the contents of a
> directory whilst its being created?
>
> Thanks,
> Garyc
>
>
Not to sound obvious, but if the directory is just created, wouldn’t . be the
only thing in it?
Now, hoping I’m not sounding stupid (and probably am, since you probably meant
IRP_MJ_CREATE for directory open, not create), did you fiddle with the
SL_RESTART_SCAN and SL_RETURN_SINGLE_ENTRY flags?
gary clark wrote:
Hi,
I have a question concerning some filter development
on Windows XP.
Basically I’m monitoring IRP requests that pass
through the IO stack. Specifically using the filter
manager and capture the IRP_CREATE requests.
The problem is that I’ve been tasked to grab the
directory contents from the directorys that get
created. Not that trivial since I’m a novice in this
arena.
Ok upon grabbing the post creation request from the
filter manager I determine that the file created is
indeed a directory. I then attempt to send
IRP_DIRECTORY_CONTROL and with the MINORFUNCTION
IRP_MN_QUERY_DIRECTORY and using the
FILE_INFORMATION_CLASS FileBothDirectoryInformation.
Ok it does something, but like always in the beginning
not what I intended.
It returns a file attribute of directory, well that
OK. The filename is ‘.’ and with NextEntryOffset as 0.
Not what I wanted. It looks like its returning some
top level directory?
I wanted to see a valid NextEntryOffset to a normal
file.
Any ideas of whether this is the right approach. I’m
starting to think that I cannot grab the contents of a
directory whilst its being created?
Thanks,
Garyc
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Hey Don,
Thanks for the reply. Could you please elaborate a wee’ bit more. The answer “you need to check at post creation if the file is in a directory of interest”. The rename/ move case?
When a directory is copied, it contains files I want to look for. I only see the directory file during the copy I dont see any of the files it contains during the copy. I would like to see those files.
Thanks,
Garyc
Thanks,
Garyc
Hey Dejan,
The ‘.’ may be the only thing in it but I’m opening up
a file eg C:\test that contain test1.c
Yes played with the flags. I verified that this file
is a directory just the filename is ‘.’ which is
probably correct. I just need confirmation thats how
its suppose to be?
Thanks,
Garyc
— Dejan Maksimovic wrote:
>
> Not to sound obvious, but if the directory is
> just created, wouldn’t . be the
> only thing in it?
> Now, hoping I’m not sounding stupid (and
> probably am, since you probably meant
> IRP_MJ_CREATE for directory open, not create), did
> you fiddle with the
> SL_RESTART_SCAN and SL_RETURN_SINGLE_ENTRY flags?
>
> gary clark wrote:
>
> > Hi,
> >
> > I have a question concerning some filter
> development
> > on Windows XP.
> >
> > Basically I’m monitoring IRP requests that pass
> > through the IO stack. Specifically using the
> filter
> > manager and capture the IRP_CREATE requests.
> >
> > The problem is that I’ve been tasked to grab the
> > directory contents from the directorys that get
> > created. Not that trivial since I’m a novice in
> this
> > arena.
> >
> > Ok upon grabbing the post creation request from
> the
> > filter manager I determine that the file created
> is
> > indeed a directory. I then attempt to send
> > IRP_DIRECTORY_CONTROL and with the MINORFUNCTION
> > IRP_MN_QUERY_DIRECTORY and using the
> > FILE_INFORMATION_CLASS
> FileBothDirectoryInformation.
> >
> > Ok it does something, but like always in the
> beginning
> > not what I intended.
> > It returns a file attribute of directory, well
> that
> > OK. The filename is ‘.’ and with NextEntryOffset
> as 0.
> > Not what I wanted. It looks like its returning
> some
> > top level directory?
> >
> > I wanted to see a valid NextEntryOffset to a
> normal
> > file.
> >
> > Any ideas of whether this is the right approach.
> I’m
> > starting to think that I cannot grab the contents
> of a
> > directory whilst its being created?
> >
> > Thanks,
> > Garyc
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as:
> xxxxx@alfasp.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
You stated in your first mail, that you caught directory creates on the
post create callback, at that point there will be nothing in the directory.
You need to check every create and see if the file is being created in the
directory you are interested in. In addition the system can “move” files
with a set information operation doing a rename to another directory which
again could be the directory of interest for you.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
> Hey Don,
>
> Thanks for the reply. Could you please elaborate a wee’ bit more. The
> answer “you need to check at post creation if the file is in a directory
> of interest”. The rename/ move case?
>
> When a directory is copied, it contains files I want to look for. I only
> see the directory file during the copy I dont see any of the files it
> contains during the copy. I would like to see those files.
>
> Thanks,
> Garyc
> Thanks,
> Garyc
>
Ok I think I know what I need to do. Firstly you cannot perform a query directory during CREATION. What in essence I am trying to achieve to examine the files within the directory during a copy. This is not achieved because I only see the directory name due to the FAST IO being enabled. Hopefully during the pre creation I can disable FAST IO after determining its a directory and then see all files in the post stage. I think this is OK?
Thanks,
Garyc