Minifilter Scanner - Block files

NTFSD
1

Hi All,

I’m using minifiter scanner program in order to block all type of specific files.
In the scanner program I send for a check all the files that are called by User mode.
if(Data->RequestorMode == 1)
{
scanFile = TRUE;
}

The block suppose to be on a specific type.
The block will be by the hex signature.
So for example, PNG hex signature is:
89 50 4E 47 0D 0A 1A 0A
So basically, in the scanUser program I perform the following check on the Buffer:
if (Buffer[0] == 0x89 && Buffer[1] == 0x50 && Buffer[2] == 0x4E && Buffer[3] == 0x47 && Buffer[4] == 0x0D && Buffer[5] == 0x0A)
{
printf(" found png");
return TRUE;
}

The good news is that I do catch all PNG files in the ScannerPostCreate routine. I also see it in the DebugView.
The bad news, it doesn’t always block the files from opening. If I open few PNG’s with Photos windows application, certain PNG files are not getting opened (as expected), but others are getting opened. This is not happening random.
If I open it with Paint.exe, it blocks all PNG’s (as expected).

How come with Windows Photos application it doesn’t block all PNG files?
My final result suppose to be a block to certain files by their HEX value. Is there a better way to implement this?

Thanks for help.

2

I would guess that you are missing opens for some reason due to your
logic. I would suggest to filter requests going to your filter using
FileSpy and see which ones are succeeding. Additionally you could add
trace to your filter to dump out the names of files you are NOT scanning
due to your decisions and see if you are missing them for some reason.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 12/28/2016 10:26:06 AM
Subject: [ntfsd] Minifilter Scanner - Block files

>Hi All,
>
>I’m using minifiter scanner program in order to block all type of
>specific files.
>In the scanner program I send for a check all the files that are called
>by User mode.
>if(Data->RequestorMode == 1)
>{
> scanFile = TRUE;
>}
>
>The block suppose to be on a specific type.
>The block will be by the hex signature.
>So for example, PNG hex signature is:
>89 50 4E 47 0D 0A 1A 0A
>So basically, in the scanUser program I perform the following check on
>the Buffer:
> if (Buffer[0] == 0x89 && Buffer[1] == 0x50 && Buffer[2] == 0x4E &&
>Buffer[3] == 0x47 && Buffer[4] == 0x0D && Buffer[5] == 0x0A)
> {
> printf(" found png");
> return TRUE;
> }
>
>The good news is that I do catch all PNG files in the ScannerPostCreate
>routine. I also see it in the DebugView.
>The bad news, it doesn’t always block the files from opening. If I open
>few PNG’s with Photos windows application, certain PNG files are not
>getting opened (as expected), but others are getting opened. This is
>not happening random.
>If I open it with Paint.exe, it blocks all PNG’s (as expected).
>
>How come with Windows Photos application it doesn’t block all PNG
>files?
>My final result suppose to be a block to certain files by their HEX
>value. Is there a better way to implement this?
>
>Thanks for help.
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

3

Is this code for a read request processing?

If your filter initiates scanning in read request processing then the problem has an obvious explanation - you do not process memory mapped files.

4

@Slava Imameev,

Thanks for reply.
Currently I only have IRP_MJ_CREATE.
According to MSDN:
The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened.

Which I understand, check within the callback if the file is PNG and block if it is.
FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;

Am I missing something?
Am I suppose to also callabck IRP_MJ_READ ?

5

Hi !

I just noticed, PNG files I created my self on my computer, get oppend with windows Photos application, BUT ! PNG files I download from the internet DO NO get open by windows Photos application.

Any idea How to fix it? How to block the files I created my self?

6

In this light, you have an incorrect implementation for IRP_MJ_CREATE. Your filter should have observed at least one IRP_MJ_CREATE for every file opened from a user application. You should not filter by process name as a file handle can be duplicated from another user process.

7

I’m not sure what you mean filter by process name… I don’t do that.

When I open the PNG file I created earlier, I do see it in the debug viewer printing “Blocking”, But it doesn’t block.
Here’s my implementation for IRP_MJ_CREATE post callback:

status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS( status )) {

return FLT_POSTOP_FINISHED_PROCESSING;
}
FltParseFileNameInformation(nameInfo);
DbgPrint(“TEST %wZ\n”, nameInfo->Name);
FltReleaseFileNameInformation(nameInfo);

if(Data->RequestorMode == 1)
{
scanFile = TRUE;
}
else
{
return FLT_POSTOP_FINISHED_PROCESSING;
}

(VOID) ScannerpScanFileInUserMode( FltObjects->Instance,
FltObjects->FileObject,
&safeToOpen );

if (!safeToOpen) {

FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
DbgPrint(“Blocking\n”);
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;

returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
}

8

I think you are not telling the full story.

Did you mean that for each create you saw “Blocking” message and it still didn’t block? Was there any “create” without “blocking” in the log?

Were these files created when a filter was active? Did you open them just after creating or after rebooting the PC? How did you create them?

What happened when you removed this condition?

9

Thanks for reply.

I did a restart, created a new PNG file with paint and only then opened the driver and it blocked my file as excepted.

You said before ‘you do not process memory mapped files’
So this maybe the problem?

10

This can’t be the problem for create requests filtering.

In your tests you are doing something you consider unimportant but this is the actual reason your filter unable to perform as expected. Get rid of if(Data->RequestorMode == 1) for test purposes.

11

Same results.

There are 2 PNG files which I made my self with paint and saved as PNG long time ago.
ONLY with windows photos application it happens and only with those 2 files.
If I try to edit/rename/delete or any other operation (besides open with windows photos application) it blocks the operation and works as expected.

So I assume this is something related to windows photos application which cause the problem.

12

Do you see ANY opens for the PNGs during this activity?

I have no idea what the Photos application does, but it could be that it’s
showing you thumbnails that were generated as part of some earlier open when
your filter wasn’t active (or working). Check with Process Monitor to see if
the PNGs are actually being opened.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Same results.

There are 2 PNG files which I made my self with paint and saved as PNG long
time ago.
ONLY with windows photos application it happens and only with those 2 files.
If I try to edit/rename/delete or any other operation (besides open with
windows photos application) it blocks the operation and works as expected.

So I assume this is something related to windows photos application which
cause the problem.