How to detect file moved or copied

OSR_Community_User · April 23, 2009, 1:08am

how can i know if a file is being moved or copied in a file filter driver? whic IRP should I block?

Haibo · April 23, 2009, 1:30am

Move: IRP_MJ_SET_INFORMATION FileRenameInformation
Copy: God knows…

Regards
Haibo
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, April 23, 2009 1:10 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to detect file moved or copied

how can i know if a file is being moved or copied in a file filter driver?
whic IRP should I block?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

David_J_Craig · April 23, 2009, 1:40am

Have you ever considered searching this newsgroup for the answer to your
question? It has been asked and answered many times. Hint: Read.

wrote in message news:xxxxx@ntfsd…
> how can i know if a file is being moved or copied in a file filter driver?
> whic IRP should I block?
>

OSR_Community_User · April 23, 2009, 4:27am

thank you,I have tried…but it seems I have the wrong hints…

OSR_Community_User · April 23, 2009, 4:52am

There is no real way to detect a ‘COPY’ operation. The best you can do is
create a set of
heuristics that ATTEMPT to detect a file copy.

Usually, a file copy consist of two Creates, and then multiple reads from
one of those creates
to multiple writes on the other file object.

A completely inaccurate way of detecting this is tracking creates on
existing files only, storing
their name and size, and then looking for that same name and size in the
create and write for other
file objects.

Dumping and clearing out the contents of the struct/list that holds these
values every few
seconds will decrease your false positives, however, a scheme like this is
paramount to
‘shitty architecture’.

The real answer is simple and I’m sure is something that you don’t want to
hear, but as I said,
it’s simple. What you seek to do is impossible in any reliable manner.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, April 23, 2009 3:29 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] How to detect file moved or copied

thank you,I have tried…but it seems I have the wrong hints…

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 23, 2009, 8:42am

thanks! I am wandering if hook will work~

Don_Burn_1 · April 23, 2009, 8:53am

You are just digging yourself deeper as far as this list is concerned.
First you ask a common question without checking the archives, now you
suggest a dispised technique without checking the archives where you would
see that suggesting hooking will get you ignored. I suggest a course of
reading before you do anything else.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> thanks! I am wandering if hook will work~
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4030 (20090423)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4030 (20090423)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Frank_Young · April 23, 2009, 8:58am

The move is easy, as suggested by Haibo.

However, the “Copy” action is completely applicatoin specific. E.g., you can read from file, write to a tmp file, then write to the destination.

If you just want to track the standard copy APIs, use detour/hook to track the file management functions like CopyFile/CopyFileEx/CopyFileTransacted…

Don_Burn_1 · April 23, 2009, 9:04am

The move is easy only if you limit your checks to moves on one volume
otherwise it is handled like a copy. You mention the standard API’s but
that does nothing for all the other ways to copy a file, for instance if it
is a text file open in with any editor then save as.

As has been explained many times on this list, the problem is impossible to
solve.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntfsd…
> The move is easy, as suggested by Haibo.
>
> However, the “Copy” action is completely applicatoin specific. E.g., you
> can read from file, write to a tmp file, then write to the destination.
>
> If you just want to track the standard copy APIs, use detour/hook to track
> the file management functions like
> CopyFile/CopyFileEx/CopyFileTransacted…
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4030 (20090423)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4030 (20090423)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

OSR_Community_User · April 24, 2009, 8:54am

For copy, the task is impossible.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> how can i know if a file is being moved or copied in a file filter driver? whic IRP should I block?
>

Gavin_Ye · April 28, 2009, 6:28am

I think it’s not a good idea to resolve “COPY” only in one place.
Generally, the solution may contain several parts. Even though, the
solution is still a “some degree” solution.

But if it can handle most of normal operations, it is acceptable. After all,
it is decided by use case.

== Gavin

On Fri, Apr 24, 2009 at 5:53 AM, Maxim S. Shatskih
wrote:

> For copy, the task is impossible.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntfsd…
> > how can i know if a file is being moved or copied in a file filter
> driver? whic IRP should I block?
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
==============================
How to redeem ?