hi everyone.
I want to redirect any PE format files downloaded from IE Browsers to my path based on minfilter.
File’s create is in IRP_MJ_CREATE,so redirection action maybe is working in it.But if i want to determine a file whether it is a PE file,the determine action must implement in IRP_MJ_WRITE.
This bring me a problem.I want to determine a file first and then redirect it,but, in fact ,redirection is first and maybe determine a file in minifilter driver.
So,anyone can tell me that any method can got this problem?
If I remember correctly, IE downloads a file to a temporary name and then renames it to the final name once the download is complete. Perhaps you could use this mechanism and rename the file to your path (instead of the actual file name) at that time ?
You simply can’t know during IRP_MJ_CREATE what the file will contain and you can’t move the file at IRP_MJ_WRITE time (or at least there are cases when you can’t). You will likely need to wait until the file is downloaded before you can do anything. You could determine whether the file is a PE file during IRP_MJ_WRITE and then schedule a rename using a different thread or a workitem or a user mode service, or you could determine the file type right when the file is closed and take action then.
In my opinion you should probably not attempt to parse the file in the driver (because file parses are often exploitable) and you should not interfere with the WRITE path too much since it might have negative effects on the whole system’s performance. Perhaps it would be easier to have a user mode service that does the scanning and renaming of the file if they match your criteria while the minifilter would be used to detect which files are being downloaded (and send them to the user mode service) and when the download is complete and also to block (or delay) access to the file until the service has finished processing the file.
Thanks,
Alex.
Thank you very much,Alex.I will be trying your advise after thinking carefully.
By the way,Can you give me any advice in my other problem .
I want to redirect a file between different volumes but simrep sample can’t do this .
How can implement this ?
Thanks.
SimRep is still the best sample to follow. The fact that it doesn’t reparse across volumes is an implementation choice. However, all you would have to do is change the volume name when building the new path for the file. In the SimRep sample when the new path for the file is built the code uses the current volume name that it gets from the FltGetFileNameInformation() call but you could put any other volume name in there and it would reparse to that volume.
Thanks,
Alex.
I deeply appreciate your timely advice.
Hi Alex.
There is a error when reparse a IE download file according to your words “However, all you would have to do is change the volume name when building the new path for the file.” . First, i use “fltmc attach simrep e:” to attach e:,and then download a fle to e:\x\y\Stud_PE.rar,which will be redirect to c:\SecureZone. But when almost completed at 99% ,there will be a error dialog words “Can’t Copy Stud_PE[1]: File Exsited”(translated by me from actually in chinese).
Why this happened?
Thank you.
Just a few time ago, the result that test the capability reparsing across volumes by the original simrep sample in WDK is ok,like you said. But it has a strange thing. Both of NewPath and OldPath have the downloaded file,e.g Stud_PE.rar.Why? the original code incorrect??
And other problem,why cause the above error --"there will be a error dialog words ‘Can’t Copy Stud_PE[1]: File Exsited’ ".I just added three additional features on the basis of the original simrep code.
First,
createdisposition = (Cbd->Iopb->Parameters.Create.Options >>24) & 0xFF;
if ( (Cbd->Iopb->Parameters.Create.Options & FILE_DIRECTORY_FILE) ==1 ||
((Cbd->Iopb->Parameters.Create.Options & FILE_DIRECTORY_FILE) ==0 &&
(createdisposition != FILE_CREATE && createdisposition != FILE_OPEN_IF && createdisposition != FILE_OVERWRITE_IF)))
{
goto SimRepPreCreateCleanup;
}
Second, filter by processname:
LiFileSystemGetProcess(pname);
RtlInitAnsiString(&aspron,pname);
RtlAnsiStringToUnicodeString(&processname,&aspron,TRUE);
RtlInitUnicodeString(&ieprocessname,L"iexplore.exe");
if (processname.Length!=0 && KStr_IndexOf(&processname,&ieprocessname,&pos) ==FALSE)
{
goto SimRepPreCreateCleanup;
}
Third,
RtlInitUnicodeString(&fileext,InterceptofFileType);
if (RtlEqualUnicodeString(&nameInfo->Extension,&fileext,TRUE) == FALSE)
{
goto SimRepPreCreateCleanup;
}
I don’t understand why,so anyone can give me a hand!
Thank in advance.
When you say that “Both of NewPath and OldPath have the downloaded file,e.g
Stud_PE.rar”, do you see this behavior with SimRep running or without SimRep ?
Also, I don’t understand why you expect that a rar file would be redirected if you only do this for PE files ?
Anyway, I’m sorry but I don’t know why you get the dialog saying the file already exists. The only advice I can give you is to use ProcMon to see what is actually going on.
Thanks,
Alex.
Thank you Alex very much.