Let’s say I’m trying to hide a 4096 header on the start of 3 byte file (bytes: 01 02 03).
Currently I have very small ambitions: I just want to read back the data, and have the header transparently skipped.
Attempt 1:
In pre read/write do ‘Data->Iopb->Parameters.Read/Write.ByteOffset.QuadPart += 4096’.
Result 1:
Reading the file from the start the user gets 01 02 03. All good so far.
However, if they keep reading there are 4096 zeros *after* their data. Wrong.
Attempt 2:
In addition I do ‘FSRTL_COMMON_FCB_HEADER->FileSize/ValidDataLength -= 4096’ in post create.
Result 2:
Reading the file from the start the user gets 01 02 03 and then the end-of-file. All good so far.
However, repeated attempts will see the already-modified FileSize/ValidDataLength and try
to modify it again. Wrong.
Is header-hiding possible with a minifilter?
If so, I’d be very glad of any hints regarding a viable approach.
Thanks in advance,
David
Yes, it is possible but as you can read in this forum there are several
edge cases which you need to get just right. The most important is that
by the time you receive a paging write, the file must already be
extended to accommodate the header and the extended data. As well, you
need to deal with set/query file information requests, directory
enumeration requests, etc.
But to start, search this forum, you will have a ton of information to
sift through to get you going.
Pete
On 8/12/2014 10:15 AM, xxxxx@nney.com wrote:
Let’s say I’m trying to hide a 4096 header on the start of 3 byte file (bytes: 01 02 03).
Currently I have very small ambitions: I just want to read back the data, and have the header transparently skipped.
Attempt 1:
In pre read/write do ‘Data->Iopb->Parameters.Read/Write.ByteOffset.QuadPart += 4096’.
Result 1:
Reading the file from the start the user gets 01 02 03. All good so far.
However, if they keep reading there are 4096 zeros *after* their data. Wrong.
Attempt 2:
In addition I do ‘FSRTL_COMMON_FCB_HEADER->FileSize/ValidDataLength -= 4096’ in post create.
Result 2:
Reading the file from the start the user gets 01 02 03 and then the end-of-file. All good so far.
However, repeated attempts will see the already-modified FileSize/ValidDataLength and try
to modify it again. Wrong.
Is header-hiding possible with a minifilter?
If so, I’d be very glad of any hints regarding a viable approach.
Thanks in advance,
David
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Hi
Are you trying to have some kind of persistent context for files over
reboots ? It looks to me like that, and adding a file header is just hard
not to make mistakes.
I would suggest two other options:
- the easy one would be to just use ADS and that would be your header,
protect the ads from unwanted access and work with it.
- use a state cache table like in Av sample but adapt it to your needs of
course. Register for IRP MJ SHutdown and save your table as binary data to
registry in a format you are comfortable of reading if you have an early
boot driver or to some file (depending on your needs of course). Next
boot/start, load your state table in driverentry and continue.
Hope it helps and this is what you needed.
On Aug 12, 2014 6:16 PM, wrote:
> Let’s say I’m trying to hide a 4096 header on the start of 3 byte file
> (bytes: 01 02 03).
> Currently I have very small ambitions: I just want to read back the data,
> and have the header transparently skipped.
>
> Attempt 1:
> In pre read/write do
> ‘Data->Iopb->Parameters.Read/Write.ByteOffset.QuadPart += 4096’.
>
> Result 1:
> Reading the file from the start the user gets 01 02 03. All good so far.
> However, if they keep reading there are 4096 zeros after their data.
> Wrong.
>
> Attempt 2:
> In addition I do ‘FSRTL_COMMON_FCB_HEADER->FileSize/ValidDataLength -=
> 4096’ in post create.
>
> Result 2:
> Reading the file from the start the user gets 01 02 03 and then the
> end-of-file. All good so far.
> However, repeated attempts will see the already-modified
> FileSize/ValidDataLength and try
> to modify it again. Wrong.
>
> Is header-hiding possible with a minifilter?
> If so, I’d be very glad of any hints regarding a viable approach.
>
> Thanks in advance,
>
> David
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Hi Gabriel, thanks for the feedback but I really do need to associate additional information with some files in a platform neutral way that will travel with the file (if it is copied without my minifilter present). A file header seems like a perfect solution to this.
Hi Peter,
Thanks for your feedback. I’ve read a lot from this forum and understand that complete header hiding solution would involve filtering IRP_MJ_QUERY_INFORMATION, IRP_MJ_SET_INFORMATION, IRP_MJ_DIRECTORY_CONTROL and more besides. However, I’m floundering on tiny subproblem within this namely “hiding the header when a file is opened and read”.
When I CreateFile and then ReadFile from userspace my minifilter (which passes through everything) only sees IRP_MJ_CREATE then IRP_MJ_READ before file content is returned. So I reason that it must be the case that I can get subproblem success just by filtering these two. Is that reasoning correct?
What frustrates me presently is I have not had success even on this tiny subproblem.
Thanks in advance,
David
Hi,
You know better what your design needs.
I was thinking about when you for example uninstall your product and stuff
like that you need to undo all of the header-ing from all the files you
have affected on the system and stuff like that.
But what if your file ends up on a system where your minifilter is not
present as you say, wouldn’t that be a problem, if you for example have
altered a DLL file or some binary ?
Regards,
Gabriel
On Mon, Aug 18, 2014 at 1:08 PM, wrote:
> Hi Peter,
>
> Thanks for your feedback. I’ve read a lot from this forum and understand
> that complete header hiding solution would involve filtering
> IRP_MJ_QUERY_INFORMATION, IRP_MJ_SET_INFORMATION, IRP_MJ_DIRECTORY_CONTROL
> and more besides. However, I’m floundering on tiny subproblem within this
> namely “hiding the header when a file is opened and read”.
>
> When I CreateFile and then ReadFile from userspace my minifilter (which
> passes through everything) only sees IRP_MJ_CREATE then IRP_MJ_READ before
> file content is returned. So I reason that it must be the case that I can
> get subproblem success just by filtering these two. Is that reasoning
> correct?
>
> What frustrates me presently is I have not had success even on this tiny
> subproblem.
>
> Thanks in advance,
>
> David
>
>
>
>
>
>
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Bercea. G.
It depends … are you starting with a file you created through some
other tool which contains the header? And all you want to do is read the
file content? If that is the case, then performing a simple operation
like ‘type’ would probably work only altering the read information. But
it could break if the application queries the file size and expects to
read that amount of data, in which case you would need to also filter
the query_info and dir_query ops. If you are using a tool such as
notepad to read the content then you will definitely need to filter the
file size queries.
Pete
On 8/18/2014 5:08 AM, xxxxx@nney.com wrote:
Hi Peter,
Thanks for your feedback. I’ve read a lot from this forum and understand that complete header hiding solution would involve filtering IRP_MJ_QUERY_INFORMATION, IRP_MJ_SET_INFORMATION, IRP_MJ_DIRECTORY_CONTROL and more besides. However, I’m floundering on tiny subproblem within this namely “hiding the header when a file is opened and read”.
When I CreateFile and then ReadFile from userspace my minifilter (which passes through everything) only sees IRP_MJ_CREATE then IRP_MJ_READ before file content is returned. So I reason that it must be the case that I can get subproblem success just by filtering these two. Is that reasoning correct?
What frustrates me presently is I have not had success even on this tiny subproblem.
Thanks in advance,
David
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295