hello,
i want to write a filter driver that can prevent virus,or some
misoperation to format my data disk,and i finished the base of the
driver,but i do not know which IRP should i to do with,and how can I
disable the format IRP ?
thanks.
best regards.
Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
Block IOCTL_DISK_FORMAT_TRACKS and the EX variation.
“shark mouse” wrote in message news:xxxxx@ntdev…
> hello,
> i want to write a filter driver that can prevent virus,or some
> misoperation to format my data disk,and i finished the base of the
> driver,but i do not know which IRP should i to do with,and how can I
> disable the format IRP ?
> thanks.
> best regards.
>
> _________________________________________________________________
> Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
>
It would be useless to do this. Just take your “data disk” to another
machine and format it there.
“David J. Craig” wrote in message
news:xxxxx@ntdev…
> Block IOCTL_DISK_FORMAT_TRACKS and the EX variation.
>
> “shark mouse” wrote in message news:xxxxx@ntdev…
>> hello,
>> i want to write a filter driver that can prevent virus,or some
>> misoperation to format my data disk,and i finished the base of the
>> driver,but i do not know which IRP should i to do with,and how can I
>> disable the format IRP ?
>> thanks.
>> best regards.
>>
>> _________________________________________________________________
>> Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
>>
>
>
>
Windows FORMAT on hard disks uses IOCTL_DISK_VERIFY, not FORMAT TRACKS.
Quick format does not use even this, it just writes an empty FS volume
blockwise.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “David J. Craig”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, July 27, 2005 1:22 AM
Subject: Re:[ntdev] Help about prevent disk from being formatted?
> Block IOCTL_DISK_FORMAT_TRACKS and the EX variation.
>
> “shark mouse” wrote in message news:xxxxx@ntdev…
> > hello,
> > i want to write a filter driver that can prevent virus,or some
> > misoperation to format my data disk,and i finished the base of the
> > driver,but i do not know which IRP should i to do with,and how can I
> > disable the format IRP ?
> > thanks.
> > best regards.
> >
> > _________________________________________________________________
> > Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
shark mouse wrote:
hello,
i want to write a filter driver that can prevent virus,or some
misoperation to format my data disk,and i finished the base of the
driver,but i do not know which IRP should i to do with,and how can I
disable the format IRP ?
thanks.
best regards.
Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn/
Ummm define “some misoperation” and distinguish it clearly from “format
my partition because its got a root kit”.
How would you distinguish it anyway?
And even if you did, whats to stop me from powering down the system,
booting into a Knoppix live CD and formatting the drive anyway?
Or into a Win PE CD - though I havent ever tried it out yet…
Yuvraaj
sorry,someone misunderstand my meaning,i just want to do something to
protect my data,if my data disk can be get or move to other machine,then
anything you can do is in vain,so the first thing is that the disk can be
physical protected.
my meaning is that in windows some user can not destroy my data using
formating the disk,just this.
i just want to know which IRP the disk driver use to format the
disk,then i can block the IRP,that is OK!
ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
Take it out of the computer and lock in a very large safe or a safety
deposit box at the bank. You question was answered correctly in this
thread.
“shark mouse” wrote in message news:xxxxx@ntdev…
> sorry,someone misunderstand my meaning,i just want to do something to
> protect my data,if my data disk can be get or move to other machine,then
> anything you can do is in vain,so the first thing is that the disk can be
> physical protected.
> my meaning is that in windows some user can not destroy my data using
> formating the disk,just this.
> i just want to know which IRP the disk driver use to format the
> disk,then i can block the IRP,that is OK!
>
> _________________________________________________________________
> ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
>
In Windows, only admins can format disks. So, “some user” cannot.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “shark mouse”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, July 27, 2005 9:12 AM
Subject: Re:[ntdev] Help about prevent disk from being formatted?
> sorry,someone misunderstand my meaning,i just want to do something to
> protect my data,if my data disk can be get or move to other machine,then
> anything you can do is in vain,so the first thing is that the disk can be
> physical protected.
> my meaning is that in windows some user can not destroy my data using
> formating the disk,just this.
>
> i just want to know which IRP the disk driver use to format the
> disk,then i can block the IRP,that is OK!
>
> _________________________________________________________________
> ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
oh,why so many person make joke with me?
i just want to solve this problem,who can help me?
Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn
There is no one IRP - NT doesn’t do low-level formatting of the drive.
Format.exe uses reads and writes to partition 0 to write out the new file system. Any other application that can gain write access to partition 0 could do the same.
You won’t be able to block this at the driver level.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of shark mouse
Sent: Tuesday, July 26, 2005 10:12 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Help about prevent disk from being formatted?
sorry,someone misunderstand my meaning,i just want to do something to protect my data,if my data disk can be get or move to other machine,then anything you can do is in vain,so the first thing is that the disk can be physical protected.
my meaning is that in windows some user can not destroy my data using formating the disk,just this.
i just want to know which IRP the disk driver use to format the disk,then i can block the IRP,that is OK!
???ĵ???ʼ?ϵͳ?? MSN Hotmail?? http://www.hotmail.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
Do not give the admin password to everybody non admins cannot format
disks.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “shark mouse”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, July 27, 2005 7:44 PM
Subject: Re:[ntdev] Help about prevent disk from being formatted?
> oh,why so many person make joke with me?
> i just want to solve this problem,who can help me?
>
> _________________________________________________________________
> Ãâ·ÑÏÂÔØ MSN Explorer: http://explorer.msn.com/lccn
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
thanks,but if i can not do it in kernel driver,whether i can do it in
user space by hooking some function such as “Format”,“SHFormatDrive” ?
but the hook is not successful each time,this is so boring.is there
anything other way to do it?
ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
Unnecessary thing. Absolutely. In Windows, only admins can format drives.
Restricting admins is this is not necessary, and non-admins are already
restricted.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “shark mouse”
To: “Windows System Software Devs Interest List”
Sent: Thursday, July 28, 2005 8:49 AM
Subject: RE:[ntdev] Help about prevent disk from being formatted?
> thanks,but if i can not do it in kernel driver,whether i can do it in
> user space by hooking some function such as “Format”,“SHFormatDrive” ?
> but the hook is not successful each time,this is so boring.is there
> anything other way to do it?
>
> _________________________________________________________________
> ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Shark,
What you are suggesting (adding some sort of protection mechanism at the
kernel level (filter driver) and/or user level (hooks) to prevent a disk
drive from being formatted) does not make sense, because:
-
Any user with administrator rights can remove any added protection
installed at the kernel level and format the drive.
-
Any user with administrator rights can remove any added protection
installed at the user level and format the drive.
-
Any user without administrator rights does not need any added kernel
level or user level protection because the administrator can deny them
permission to format drives. This is your best option. However, if a user
has physical access to the machine, this is also meaningless because:
3a. Any user with a Windows XP CD can boot into Windows XP Setup and
format the drive.
3b. Any user with a Knoppix CD can boot into Linux and format the drive.
3c. Any user with a MS-DOS floppy can boot into MS-DOS and format the
drive.
3d. Need I go on? This is not an exhaustive list. If a user has physical
access to the machine, there is nothing you can do.
-Dan
----- Original Message -----
Subject: RE: Help about prevent disk from being formatted?
From: “shark mouse”
> Date: Thu, 28 Jul 2005 12:49:07 +0800
>
> thanks,but if i can not do it in kernel driver,whether i can do it in
> user space by hooking some function such as “Format”,“SHFormatDrive” ?
> but the hook is not successful each time,this is so boring.is there
> anything other way to do it?
Use a disc that does full disc encryption, FDE. The only way to format that
disc, whether or not you have moved it to another computer, is to either
have the proper credentials. or disassemble the disc change out the firmware
board. ANY software solution is fundamentally flawed in protecting against
such an attack, when you can boot to an OS that will allow you to do what
you want, by simply inserting a floppy or a CD. FDE forces authentication
and login BEFORE the disc can even be accessed.
The personal opinion of
Gary G. Little
“shark mouse” wrote in message news:xxxxx@ntdev…
> sorry,someone misunderstand my meaning,i just want to do something to
> protect my data,if my data disk can be get or move to other machine,then
> anything you can do is in vain,so the first thing is that the disk can be
> physical protected.
> my meaning is that in windows some user can not destroy my data using
> formating the disk,just this.
> i just want to know which IRP the disk driver use to format the
> disk,then i can block the IRP,that is OK!
>
> _________________________________________________________________
> ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓʼþϵͳ¡ª MSN Hotmail¡£ http://www.hotmail.com
>
Shark Mouse,
Please understand that our answers are based on how you asked your question. We are not trying to prevent you from accomplishing your goals. We are trying to help move you away from a solution that won’t work and point you to how to solve the problem you are trying to solve. Unfortunately, you have structured your original question in such a way as to prevent a solution. You have said, “I want to prevent administrators from being able to format my disk”. This is not possible – period.
If you just want to prevent common usage of specific format utilities (i.e format.com), you could apply strong ACLs to the file. If you want to just prevent common usage of the shell’s “format” option, you may not get a best answer here – we’re mostly focused on driver development on this list. Hooking the shell functions that get called from user-mode may work for you – I really don’t know as I have no experience hooking calls. I would be afraid that if the memory is paged out, then paged back in, it might come in from the original binary and therefore lose my hook.
Note that neither of the above two options will actually do anything to prevent someone from formatting the media or destroying your data. Since you’ve given them administrator access, they can literally do anything they want on the machine, including overriding your hook with their own to go back to the original location. Therefore, a complete solution must begin with limiting the user to a normal user account.
The correct way to prevent a “user” from formatting the disk is to not grant the “user” administrative or power-user privileges. This greatly and immediately restricts the user. If you want to lock down the machine even more, apply a security policy that locks down the machine as you want. You can even setup the machine to only allow “good” executable to run – search for “SAFER” (all capitals). Again, I have no personal experience with that type of setup, but I want you to have resources to help.
Hope that helps,
.
-----Original Message-----
From: shark mouse [mailto:xxxxx@hotmail.com]
Sent: Wednesday, July 27, 2005 9:49 PM
Subject: RE: Help about prevent disk from being formatted?
thanks,but if i can not do it in kernel driver,whether i can do it in
user space by hooking some function such as “Format”,“SHFormatDrive” ?
but the hook is not successful each time,this is so boring.is there
anything other way to do it?
???ĵ???ʼ?ϵͳ?? MSN Hotmail?? http://www.hotmail.com
thanks the reply from everybody.
maybe someone is still misunderstanding my question,my goal is to make a
method to prevent the user destroy my data disk,this is only thought of
user’s misoperation,not ill intentions.so i do think of the boot cd or move
the disk to another computer,etc,just want to do this.
in detail,want to prevent two ways to format the disk:
1.prevent common usage of the shell’s “format” option
2.prevent common usage of specific format utilities (i.e format.com),
just this.
ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/cn
IIRC, all user mode formatting tools finally call a function from fmifs.dll. You can try to hook exported Format() and FormatEx() function. At XP there is also FormatEx2() exported so you’d have to probably hook it, too. Read the old Mark Russinovich’s article for more info: http://www.sysinternals.com/sourcecode/fmifs.html.
Hooking user mode DLL should be enough for your purposes as an attempt to stop malicious software running under administrator account is futile, as it was said many times here. It would be hard or impossible to detect an attempt to format in the kernel driver. From the article: “Neither UNTFS.DLL nor UFAT.DLL call file system drivers to take any part in a format or chkdsk operation - they directly read and write raw clusters on the drive.” If it still applies, the only way which could work would be to deny attempts to open volume for direct access which’d have other negative consequences because tools like chkdsk, disk defragmenters etc. use it, too.
BTW, I don’t quite agree with common list sense expressed in past days. Although attempts to stop admin from formatting disk are theoretically useless because admin can always bypass them, they may not be quite useless in practice. If there is a virus, trojan or any other malicious software which tries to use format, it may help. I presume a situation when admin reads mails or browses web (Should he? No! Do they? Yes!) and the attack isn’t directed specially against him. On the other hand, there are many other ways how to destroy data. If you presume user accidentally runs format.com (actually PE file with correct parameters, what if he accidentally runs “del /s *.*” in the root directory?
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of shark mouse[SMTP:xxxxx@hotmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, July 29, 2005 1:37 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help about prevent disk from being formatted?
thanks the reply from everybody.
maybe someone is still misunderstanding my question,my goal is to make a
method to prevent the user destroy my data disk,this is only thought of
user’s misoperation,not ill intentions.so i do think of the boot cd or move
the disk to another computer,etc,just want to do this.
in detail,want to prevent two ways to format the disk:
1.prevent common usage of the shell’s “format” option
2.prevent common usage of specific format utilities (i.e format.com),
just this.
???ѽ??н???ʹ?? MSN Messenger: http://messenger.msn.com/cn
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Gary G. Little[SMTP:glittle@mn.rr.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, July 28, 2005 5:40 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Help about prevent disk from being formatted?
Use a disc that does full disc encryption, FDE. The only way to format that
disc, whether or not you have moved it to another computer, is to either
have the proper credentials. or disassemble the disc change out the firmware
board. ANY software solution is fundamentally flawed in protecting against
such an attack, when you can boot to an OS that will allow you to do what
you want, by simply inserting a floppy or a CD. FDE forces authentication
and login BEFORE the disc can even be accessed.
Sorry Gary, I don’t see how FDE protects against data destroy. Once disk is mounted by OS, user and malicious software can do anything. If machine can be physically accessed, disk can be removed and destroyed by big hammer or simply stolen. The theorecical level of protection is the same as with software solutions i.e. zero
FDE can prevent against data access, if properly implemented. This is what I’d still like to know – do Seagate drives use hardcoded encryption key, key stored somewhere or some safe approach?
(sorry, caustic mood today
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
The drive must be unlocked with user input before any reads or writes of the
media is permitted - as I understand it. Otherwise it would not be of any
use. I want one of those 160GB drives with FDE and vertical recording. It
should be a nice toy.
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Gary G. Little[SMTP:glittle@mn.rr.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Thursday, July 28, 2005 5:40 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Help about prevent disk from being formatted?
>
> Use a disc that does full disc encryption, FDE. The only way to format
> that
> disc, whether or not you have moved it to another computer, is to either
> have the proper credentials. or disassemble the disc change out the
> firmware
> board. ANY software solution is fundamentally flawed in protecting against
> such an attack, when you can boot to an OS that will allow you to do what
> you want, by simply inserting a floppy or a CD. FDE forces authentication
> and login BEFORE the disc can even be accessed.
>
Sorry Gary, I don’t see how FDE protects against data destroy. Once disk is
mounted by OS, user and malicious software can do anything. If machine can
be physically accessed, disk can be removed and destroyed by big hammer or
simply stolen. The theorecical level of protection is the same as with
software solutions i.e. zero
FDE can prevent against data access, if properly implemented. This is what
I’d still like to know – do Seagate drives use hardcoded encryption key,
key stored somewhere or some safe approach?
(sorry, caustic mood today
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]