Hiding Files using Minifilters

NTFSD
1

I m writing Filter Driver, and for this used sample of minifilter in WDK in preoperation callback
intercepted IRP_MJ_DIRECTORY_CONTROL to iterate file or folder of any folder and to Hide file or folder I used same concepts using in intercepting of ZwQueryDirectoryFile.

Following code please let me know what is the problem.

UNICODE_STRING EntryName;
UNICODE_STRING uStrParent;
NTSTATUS rc;
PUNICODE_STRING puStr = NULL;
PVOID FileInformation = NULL;
UNICODE_STRING defaultName;
UNICODE_STRING uStr, uStr1;
PUNICODE_STRING nameToUse;
NTSTATUS status;
PFILE_BOTH_DIR_INFORMATION stDirInfo;
PFILE_BOTH_DIR_INFORMATION dir_info;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
char *ptrParentDir = NULL;
PCHAR ptr = NULL;
char *buffer = NULL;
wchar_t wcFullPathName[1024];
int BytesReturned =0;
int bytesreturned=0;
int i = 0,iPos = 0;
int j = 0 ,iLeft =0;
BOOLEAN bDone;

nameToUse = &FltObjects->FileObject->FileName;//&nameInfo->Name;
RtlInitUnicodeString(&uStr,L"log.txt");
if((Data->Iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL))
{

DbgPrint(“IRP_MJ_DIRECTORY_CONTROL\n”);
DbgPrint(“Full Path : %ws\n”,FltObjects->FileObject->FileName.Buffer);
stDirInfo = (PFILE_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer;

ProbeForRead(stDirInfo,sizeof(FILE_BOTH_DIR_INFORMATION),1);

EntryName.Length = (USHORT)stDirInfo->FileNameLength;
EntryName.MaximumLength = EntryName.Length;
EntryName.Buffer = &stDirInfo->FileName[0];

bytesreturned=0;
while(1)
{
ProbeForRead(&stDirInfo->FileName[0],sizeof(WCHAR),1);
DbgPrint(“File Name : %ws\n”,&stDirInfo->FileName[0]);
uStr1.Length = (USHORT)stDirInfo->FileNameLength;
uStr1.MaximumLength = uStr1.Length;
uStr1.Buffer = &stDirInfo->FileName[0];

//RtlInitUnicodeString(&uStr1,&stDirInfo->FileName[0]);

if(RtlCompareUnicodeString(&uStr1,&uStr,TRUE)==0)
{
DbgPrint(“File Compared”);
if (stDirInfo->NextEntryOffset==0)
break;
stDirInfo=(PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)stDirInfo)+stDirInfo->NextEntryOffset);
continue;
}

if (stDirInfo->NextEntryOffset!=0)
{
bytesreturned+=stDirInfo->NextEntryOffset;
DbgPrint(“BytesRetured = %d, Offset Not Zero = %d\n”,bytesreturned,stDirInfo->NextEntryOffset);
}
else
{
bytesreturned+=sizeof(*stDirInfo)-sizeof(WCHAR)+stDirInfo->FileNameLength;
DbgPrint(“BytesRetured = %d, Offset = %d\n”,bytesreturned,stDirInfo->NextEntryOffset);

}
//ptr+=stDirInfo->NextEntryOffset;
//DbgPrint(“ptr = %d\n”,(ULONG)buffer);

if (stDirInfo->NextEntryOffset==0)
{
DbgPrint(“Quit from inner loop”);
break;
}
stDirInfo=(PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)stDirInfo)+stDirInfo->NextEntryOffset);
DbgPrint(“Next offset is not zero\n”);

}// while end
if (bytesreturned>0)
{
DbgPrint(“BytesRetured > = %d\n”,bytesreturned);
}
Data->IoStatus.Information=bytesreturned;
RtlCopyMemory((PVOID)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer, (PVOID)stDirInfo, bytesreturned);

}

2

Compared file not hiding please let me know if there is any problem or any other way to handle this type of problem

3

Hi,

My news reader makes it difficult to read pasted in code but I cannot find
the return statements so I’m not really sure what your intention is.

You state that you are calling this in pre-operation. May I ask why? In
pre-operation all you have are the buffers that the application provided.
There will be nothing of any sense in them so examining them is pointless.
I suspect that you want to be doing this in post op.

As a meta point. Did you step through the code in the debugger to see what
was happening? How much time did you spend in analysis and thinking about
your problem (that’s rhetorical)? In general the guys in this group are
really helpful, but you only have a certain amount of “credit”. You have
asked 4 questions in the last 10 days, that is more than many people ask in
a year. If you use up “credit” on questions like this you will have nowhere
to go when you need an answer to the really difficult questions (“I’m
issuing relative creates in XP over RDR and they don’t always work” or “I
call IoCreateStreamFileObjectEx but close the handle before a create, MUP
crashes, what can I do?”).

A lot of guys spend a lot of time helping (and occasionally asking) in this
group, when the noise level goes up they are going to walk away either from
helping you (which is a tragedy for you) or helping anyone (which is the
tragedy of the comons).

I know you are under pressure to get this project done in a stupidly short
time. I understand about management who believe that a MA conversion from
media studies and 3 years J2EE experience is perfect qualification for
writing FS filter drivers (one of the more challenging software jobs out
there). But if you don’t produce evidence of helping yourself, others are
going to become less and less willing to help. Me ? I will only ask
questions of this group after at least half a days research; they’ve never
let me down.

Good luck with your project and the learning cliff.

Rod


Rod Widdowson
Consulting Partner
Steading System Software LLP

wrote in message news:xxxxx@ntfsd…
> Compared file not hiding please let me know if there is any problem or any
> other way to handle this type of problem
>

4

Instead of searching and trying to solve the problem on your own, I see
you’ve
reposted your question exactly one hour later (minus 1 minute) in an attempt
to bump it
on something that IS NOT A MESSAGE BOARD.

I see multiple problems, sure everyone else does also. Hell, given the crux
of your difficulties,
I know for a fact it’s written about quite a bit in the archives.

Damn multiple “File…m…s…s”. <- me not trying to be helpful

Your real problem is you don’t know how to research; this is the best skill
anyone can have.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Monday, February 16, 2009 3:59 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Hiding Files using Minifilters

Compared file not hiding please let me know if there is any problem or any
other way to handle this type of problem

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.10.23/1952 - Release Date: 02/15/09
18:09:00

5
  • as Rod said, you cannot do that in pre-operation callback; move your code
    to post-op.
  • debug it
  • note you have to return different IoStatus code if you remove all entries
    (you have to return STATUS_NO_MORE_FILES or STATUS_NO_SUCH_FILE - search in
    the archive for their differences); this must be implemented with using a
    context for the given FileObject which is used for search query, because you
    have to know if you returned an entry in last query or not

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 16. ?nora 2009 9:57
To: Windows File Systems Devs Interest List
Subject: [SPAM] [ntfsd] Hiding Files using Minifilters

I m writing Filter Driver, and for this used sample of minifilter in WDK in
preoperation callback
intercepted IRP_MJ_DIRECTORY_CONTROL to iterate file or folder of any folder
and to Hide file or folder I used same concepts using in intercepting of
ZwQueryDirectoryFile.

Following code please let me know what is the problem.

UNICODE_STRING EntryName;
UNICODE_STRING uStrParent;
NTSTATUS rc;
PUNICODE_STRING puStr = NULL;
PVOID FileInformation = NULL;
UNICODE_STRING defaultName;
UNICODE_STRING uStr, uStr1;
PUNICODE_STRING nameToUse;
NTSTATUS status;
PFILE_BOTH_DIR_INFORMATION stDirInfo;
PFILE_BOTH_DIR_INFORMATION dir_info;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
char *ptrParentDir = NULL;
PCHAR ptr = NULL;
char *buffer = NULL;
wchar_t wcFullPathName[1024];
int BytesReturned =0;
int bytesreturned=0;
int i = 0,iPos = 0;
int j = 0 ,iLeft =0;
BOOLEAN bDone;

nameToUse = &FltObjects->FileObject->FileName;//&nameInfo->Name;
RtlInitUnicodeString(&uStr,L"log.txt");
if((Data->Iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL))
{

DbgPrint(“IRP_MJ_DIRECTORY_CONTROL\n”);
DbgPrint(“Full Path : %ws\n”,FltObjects->FileObject->FileName.Buffer);
stDirInfo =
(PFILE_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDir
ectory.DirectoryBuffer;

ProbeForRead(stDirInfo,sizeof(FILE_BOTH_DIR_INFORMATION),1);

EntryName.Length = (USHORT)stDirInfo->FileNameLength;
EntryName.MaximumLength = EntryName.Length;
EntryName.Buffer = &stDirInfo->FileName[0];

bytesreturned=0;
while(1)
{

ProbeForRead(&stDirInfo->FileName[0],sizeof(WCHAR),1);

DbgPrint(“File Name : %ws\n”,&stDirInfo->FileName[0]);
uStr1.Length = (USHORT)stDirInfo->FileNameLength;
uStr1.MaximumLength = uStr1.Length;
uStr1.Buffer = &stDirInfo->FileName[0];

//RtlInitUnicodeString(&uStr1,&stDirInfo->FileName[0]);

if(RtlCompareUnicodeString(&uStr1,&uStr,TRUE)==0)

{
DbgPrint(“File Compared”);
if (stDirInfo->NextEntryOffset==0)
break;

stDirInfo=(PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)stDirInfo)+stDirInfo->NextEn
tryOffset);
continue;
}

if (stDirInfo->NextEntryOffset!=0)
{

bytesreturned+=stDirInfo->NextEntryOffset;
DbgPrint(“BytesRetured = %d, Offset Not Zero =
%d\n”,bytesreturned,stDirInfo->NextEntryOffset);
}
else
{

bytesreturned+=sizeof(*stDirInfo)-sizeof(WCHAR)+stDirInfo->FileNameLength;
DbgPrint(“BytesRetured = %d, Offset =
%d\n”,bytesreturned,stDirInfo->NextEntryOffset);

}
//ptr+=stDirInfo->NextEntryOffset;
//DbgPrint(“ptr = %d\n”,(ULONG)buffer);

if (stDirInfo->NextEntryOffset==0)
{
DbgPrint(“Quit from inner loop”);
break;
}

stDirInfo=(PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)stDirInfo)+stDirInfo->NextEn
tryOffset);
DbgPrint(“Next offset is not zero\n”);

}// while end
if (bytesreturned>0)
{
DbgPrint(“BytesRetured > = %d\n”,bytesreturned);
}
Data->IoStatus.Information=bytesreturned;

RtlCopyMemory((PVOID)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.
DirectoryBuffer, (PVOID)stDirInfo, bytesreturned);

}

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer