Hi,
I am writing my first filter driver using the minifilter and I have a design
question. I need to inspect the content of files written to a particular
directory and, if they match a number of criteria, I need to fail the write.
From what I understand, I cannot fail niether a CLOSE nor a CLEANUP and
hence, I think, it must be done during the write. I read around that I
should roll my own READ IRP or use the FltReadFile minifilter function but I
have not yet understodd how I could link together a file being written with
its source. How do I find the FileObject or file name of the source file?
Another idea I had was to detect writes to the protected directory and keep
a copy of all write buffers in memory until I have the full file.
Is my approach flawed?
Some background information: reading the file is ok, only writing it to a
given directory is not. the source files are always on
disk/cd-rom/mem-stick/floppy: they may then be copied to a given directory.
the file names may be arbitrary. To apply the ok/nok criteria I need the
entire file and need to examine its content.
thank you in advance.
Marco
Hi,
Why don’t you check the contents of the writes and when your criteria
are met,
just fail the next writes and erase the file when IRP_MJ_CLOSE is completed?
You have the file name through the create IRP.
Andrei
Marco Peretti wrote:
Hi,
I am writing my first filter driver using the minifilter and I have a design
question. I need to inspect the content of files written to a particular
directory and, if they match a number of criteria, I need to fail the write.
>From what I understand, I cannot fail niether a CLOSE nor a CLEANUP and
hence, I think, it must be done during the write. I read around that I
should roll my own READ IRP or use the FltReadFile minifilter function but I
have not yet understodd how I could link together a file being written with
its source. How do I find the FileObject or file name of the source file?
Another idea I had was to detect writes to the protected directory and keep
a copy of all write buffers in memory until I have the full file.
Is my approach flawed?
Some background information: reading the file is ok, only writing it to a
given directory is not. the source files are always on
disk/cd-rom/mem-stick/floppy: they may then be copied to a given directory.
the file names may be arbitrary. To apply the ok/nok criteria I need the
entire file and need to examine its content.
thank you in advance.
Marco
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@bitdefender.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Ignorance more frequently begets confidence than does knowledge.
— Charles Darwin
–
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
Hi Andrei
thank you for the info. what you suggest is indeed what I was thinking about
doing: forget about the source file and focus on the file being written. My
main issue is however that I may need the entire file, not just portions of
it. I need to read version information from the file and I can either do it
from user mode on the entire file or have to scan the binary file in memory.
cheers,
“Andrei Zlate-Podani” wrote in message
news:xxxxx@ntfsd…
> Hi,
>
> Why don’t you check the contents of the writes and when your criteria are
> met,
> just fail the next writes and erase the file when IRP_MJ_CLOSE is
> completed?
> You have the file name through the create IRP.
>
> Andrei
>
Marco Peretti wrote:
Hi Andrei
thank you for the info. what you suggest is indeed what I was thinking about
doing: forget about the source file and focus on the file being written. My
main issue is however that I may need the entire file, not just portions of
it. I need to read version information from the file and I can either do it
from user mode on the entire file or have to scan the binary file in memory.
cheers,
You can keep some state associated with each of the files of interest.
You don’t need to have/read all the data
in the file, just scan for the information that you need and update the
state accordingly.
–
Ignorance more frequently begets confidence than does knowledge.
— Charles Darwin
–
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/