Identifying File copy

OSR_Community_User · February 3, 2005, 7:44am

Hi,

I am developing file system filter driver for Windows 2000/xp where I need
to identify copies of a file i.e when ever a user says ctrl+c and ctrl+v of
a file the filter driver needs to identify that there is a file created
which is a copy of some ‘x’ file. Is it

Any information is helpful.

Thanx,
Kedar.

OSR_Community_User · February 3, 2005, 8:53am

Hi,

I am developing file system filter driver for Windows 2000/xp where I need
to identify copies of a file i.e when ever a user says ctrl+c and ctrl+v of
a file the filter driver needs to identify that there is a file created
which is a copy of some ‘x’ file. Is it

Any information is helpful.

Thanx,
Kedar.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 3, 2005, 10:39am

Hi,

I am developing file system filter driver for Windows 2000/xp where I need
to identify copies of a file i.e when ever a user says ctrl+c and ctrl+v of
a file the filter driver needs to identify that there is a file created
which is a copy of some ‘x’ file. Is it

Any information is helpful.

Thanx,
Kedar.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Matt_Wu · February 4, 2005, 3:27am

You’d better use a napi hook in user mode, rather than a kernel file system filter.

Matt

“kedar” wrote: xxxxx@ntfsd…
> Hi,
>
> I am developing file system filter driver for Windows 2000/xp where I need
> to identify copies of a file i.e when ever a user says ctrl+c and ctrl+v of
> a file the filter driver needs to identify that there is a file created
> which is a copy of some ‘x’ file. Is it
>
> Any information is helpful.
>
> Thanx,
> Kedar.

Marc-Antoine_Ruel · February 7, 2005, 10:05am

Anything you will try WILL be defeated.

Like Matt said, hooks in user mode is the first step to trap the normal copy
operation.

But just think about:
more file1 > file2

Like Don Burn would usually say, just tell me what software are you creating
so I everyone I know never install it.

In fact, after some though, it would be possible with only filter drivers
(no hook) with a quite hard overhead.

Track every open on your protected files and mark the corresponding
processes.
From that point, scan every write from those processes on every drive with
a byte-per-byte compare.
You could try this on file close so it doesn’t tax as much the system.
(But still…)
A simple zip will escape your detection anyway. I imagine that wasn’t your
goal. So just refuse any open on the file, that will fix the problem.

Good luck.

M-A fells ironic today.

“kedar” a écrit dans le message de news:
xxxxx@ntfsd…
> Hi,
>
> I am developing file system filter driver for Windows 2000/xp where I need
> to identify copies of a file i.e when ever a user says ctrl+c and ctrl+v
> of
> a file the filter driver needs to identify that there is a file created
> which is a copy of some ‘x’ file. Is it
>
> Any information is helpful.
>
> Thanx,
> Kedar.
>
>
>