I am trying to create a tool similar to filemon, however I need the
following functionality.
There’s no copy operation at filter/FSD level. Just read and write.
L.
There is no concept of a ‘copy’ operation from the perspective of a filter
driver. The filter would see an open against file 1, some reads against the
same file, then possibly a create or open of file 2, followed by some writes
against the latter file.
Other than associating heuristics to the above set of operations, which the
order is not guaranteed, there is no way to know that a copy operation is
happening. Even when you attempt to guess, there are scenarios that will
break it.
It is best to not base your architecture on such concepts.
Pete
Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Albert Pinto
Sent: Tuesday, January 24, 2006 5:39 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] fmon
I am trying to create a tool similar to filemon, however I need the
following functionality.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com
well thanks for the advices, but then how do i solve it. iwanted a fsfd
because the other approach is to hook at a higher level and that is not
recommended by any of you!!!
A P wrote:
well thanks for the advices, but then how do i solve it. iwanted a fsfd
because the other approach is to hook at a higher level and that is not
recommended by any of you!!!
Hooking at a higher level won’t help either - copy is only a shorthand
for multple operations even in userspace. Are you assuming that someone
will copy a file by always calling CopyFile? I’m not sure even explorer
always uses that, and it’s very common for user apps to use other methods.
Time to rethink your design…
Tony
even if you can hook, you will havet o hok half a million APIs to get this
working. And there always will remain a way to bypass you.
The lower down the hierarchy you tap the cleaner your code is and the safer
you are, as you will not be bypassed, but generating any context is very
difficult.
you mean to say that windows doesnt allow any way to log user operations on
files/ network shares etc the proper way, I don’t believe this. there has to
be a way…
> you mean to say that windows doesnt allow any way to log user operations
on files/ network shares etc the proper way,
No. We mean that there’s no way how to log copying file.
L.
ROFL! If any OS allows for one to have read/write as an atomic
operation available to programmers, it does not provide a way to track
file copy.
A P wrote:
you mean to say that windows doesnt allow any way to log user
operations on files/ network shares etc the proper way, I don’t
believe this. there has to be a way…
–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
I think more specifically what is being said is that “copy” does not
exist as a discrete “operation”. Yes, you have plenty of methods to
log user “operations”, but “copy” is not a single operation but rather
a compound collection of read & write operations.
An application that is “reading” and “writing” might be “copying”, or
might be doing something entirely different.
You are free to try and guess what an application’s intention is (and
also hook higher-level APIs so that in a subset of circumstances you
won’t need to guess), but any approach is going to have some margin of
error for either mis-diagnosing an operation as being “copy” when it
isn’t, or of missing an operation that actually is a “copy”.
What is the actual intention, and/or what would your definition of
“copy” be in light of your intention? e.g. Would the fact that a word
processor read the file into memory and then wrote it out to a
different location be a “copy” operation? What if the data isn’t
exactly the same? (Word processor updated internal last-written,
last-viewed and/or file path data, etc.) Have they still “copied” the
file to another location?
As mentioned earlier, you may want to re-visit the design of whatever
you’re planning. e.g. Is the real problem “where” someone is writing
a file, and not so specifically that they “copied” it there. Depending
on your intention there may be other angles of attack.
A P wrote:
> you mean to say that windows doesnt allow any way to log user operations on
> files/ network shares etc the proper way, I don’t believe this. there has to
> be a way…
Alan Adams