intercepting data reading of notepad.exe

NTFSD
1

hi,

i am trying to intercept data readed by notepad.exe in my Mini Filter driver…

And i tried to print the name of the file before it is get mapped using FsRtlRegisterFileSystemFilterCallbacks() routine in my DriverEntry.
but it is not working…my code is as shown…

FsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof (FS_FILTER_CALLBACKS);
FsFilterCallbacks.PreAcquireForSectionSynchronization = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForSectionSynchronization = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForSectionSynchronization =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForSectionSynchronization =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForCcFlush =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForCcFlush =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForCcFlush =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForCcFlush =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForModifiedPageWriter = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForModifiedPageWriter = SfPostFsFilterPassThrough;

status = FsRtlRegisterFileSystemFilterCallbacks( DriverObject,&FsFilterCallbacks);
if (!NT_SUCCESS( status ))
{

DbgPrint(“failed to registerFilterCallbacks”);
}

and my pre and post routiens are…

NTSTATUS
SfPreFsFilterPassThrough (
IN PFS_FILTER_CALLBACK_DATA Data,
OUT PVOID *CompletionContext
)
{
DbgPrint(“in SfPreFsFilterPassThrough”);

if (NULL != Data->FileObject) {

DbgPrint("File object is %wZ ",Data->FileObject->FileName);
}

return STATUS_SUCCESS;
}

VOID
SfPostFsFilterPassThrough (
IN PFS_FILTER_CALLBACK_DATA Data,
IN NTSTATUS OperationStatus,
IN PVOID CompletionContext
)
{
DbgPrint(“in SfPostFsFilterPassThrough”);
}

any help please…
thanks…

2

On 8/6/2010 4:47 AM, xxxxx@gmail.com wrote:

hi,

i am trying to intercept data readed by notepad.exe in my Mini Filter driver…

And i tried to print the name of the file before it is get mapped using FsRtlRegisterFileSystemFilterCallbacks() routine in my DriverEntry.
but it is not working…my code is as shown…

First, there is no need to do both, register the callbacks via the FsRtl
calls AND register for a callback in the mini-filter registration table.
You can simply perform the latter, setup entry points in your callback
table and that is enough. Also, you don’t return an NTSTATUS from your
pre/post routines, you return FLT status codes, read the docs on this.

Second, if you are sitting on NTFS then the file object which is used to
initialize caching is a stream file object. Thus the name within this
file object will not be valid and if you are trying to print the name of
the file from the file object during a paging read/write then it won’t
work. Instead I suggest you allocate a STREAM_CONTEXT during post create
for the files you are interested in tracking. Get the name at that point
and then during the IO operation, retrieve the context and print the
name from your stream context.

There are so many things which could be effecting the processing you are
attempting. Fix these things and then mvoe on to the next step.

Pete

FsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof (FS_FILTER_CALLBACKS);
FsFilterCallbacks.PreAcquireForSectionSynchronization = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForSectionSynchronization = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForSectionSynchronization =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForSectionSynchronization =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForCcFlush =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForCcFlush =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForCcFlush =SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForCcFlush =SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForModifiedPageWriter = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForModifiedPageWriter = SfPostFsFilterPassThrough;

status = FsRtlRegisterFileSystemFilterCallbacks( DriverObject,&FsFilterCallbacks);
if (!NT_SUCCESS( status ))
{

DbgPrint(“failed to registerFilterCallbacks”);
}

and my pre and post routiens are…

NTSTATUS
SfPreFsFilterPassThrough (
IN PFS_FILTER_CALLBACK_DATA Data,
OUT PVOID *CompletionContext
)
{
DbgPrint(“in SfPreFsFilterPassThrough”);

if (NULL != Data->FileObject) {

DbgPrint("File object is %wZ ",Data->FileObject->FileName);
}

return STATUS_SUCCESS;
}

VOID
SfPostFsFilterPassThrough (
IN PFS_FILTER_CALLBACK_DATA Data,
IN NTSTATUS OperationStatus,
IN PVOID CompletionContext
)
{
DbgPrint(“in SfPostFsFilterPassThrough”);
}

any help please…
thanks…

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

3

thanks for your response sir…

i have to study more…expecting your help in future…

4

hi,

as you said i had registered twice…using FltRegisterFilter and FsRtlRegisterFileSystemFilterCallbacks in my DriverEntry().

what i am trying is to decrypt an encrypted *.txt while it is reading from a cd-rom.

I am using swapBuffer sample and it is working well for files such .htm,.html etc ( i think which uses buffered i/o)

i am trying to extend my program for .doc,.txt files…(uses memory maped i/o)

my doubts are…

  1. is it is possible with FltRegisterFilter(…) to capture memory mapped i/o ?

  2. why i am missing notepad files with out putting the flags FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO
    and FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my _FLT_OPERATION_REGISTRATION structure…

3)is this assumption right…

save the “file names” and “Handle” at precreate

try to decrypt it at PreOperation callback routine for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION with the saved handles

please give me some advice…

i am a novice to this area.

thanks…

5

> i am a novice to this area.

Good luck. Without sounding too downbeat, you are attempting one of the
hardest things there are in windows kernel programming. It is usually
stated that a skilled practitioner can have an alpha level decryption
product in 12 man months. You should allow at least 6 calendar months to go
up the learning cliff. I’d also suggest that you get your manager to send
you on the excellent OSR training course.

  1. is it is possible with FltRegisterFilter(…) to capture memory
    mapped i/o ?

Yes. The are some things that minifilters cannot do, but they are hidden in
nasty dark corners and you shouldn’t have to worry about them. Paging IO is
meat and drink to a minifilter.

  1. why i am missing notepad files with out putting the flags
    FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO
    and FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my
    _FLT_OPERATION_REGISTRATION structure…

Because Notepad relies on paging IO.

3)is this assumption right…

save the “file names” and “Handle” at precreate

I wouldn’t. You are making a huge amount of work for yourself. The FltMgr
apis allow you to get the file name and there is support for caching in
there (so, at least in theory, you’ll win if any other filesystem filter
needs filenames as well *and* you get to not write the code).

try to decrypt it at PreOperation callback routine for
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION with the saved handles

No, as Pete said:

Second, if you are sitting on NTFS then the file object which is used to
initialize caching is a stream file object

This means you will never see the CREATE for the file object that a whole
bunch of operations happens on so you’ll not know the name

please give me some advice…

Do not worry about FileObjects and StreamHandleContexts for this. Rely on
Fltmgr to manage the name caching and on StreamContexts for things which are
per file. StreamHandleContexts really should be about that particular
open…

Also http://www.osronline.com/article.cfm?article=565

Finally. One of the traps in filesystem development is to assume that
because one thing works, you are nearly done. Unless you architecture is
correct and you kn ow of all the dark little corners you may find that you
have barely started…

Once again. good luck.

6

thanks for your response and encouragement …