Path name of file source

BradyT · December 12, 2009, 12:11am

My scanner filter is attached to my USB drive volume. I want to scan any writes to the drive and block it if the file is infected. I got the name of the file in PostCreate. In PostCreate, the normalized file name in the file name structure \Device\Harddisk1\DP(1)0-0+5..xxx.txt which is the path on the drive itself. However, when I pass it to the user land scanner, I need the full source path of the file being copied into the drive. How do I get it?

OSR_Community_User · December 12, 2009, 10:45am

\Device.… is the full source path. I assume that you want the msdos name
which has a symbolic link to the device (c:\ -> \Device..). You can use
IoQueryFileDosDeviceName or have the application look it up with the
QueryDosDevice function.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Saturday, December 12, 2009 12:13 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Path name of file source

My scanner filter is attached to my USB drive volume. I want to scan any
writes to the drive and block it if the file is infected. I got the name of
the file in PostCreate. In PostCreate, the normalized file name in the file
name structure \Device\Harddisk1\DP(1)0-0+5..xxx.txt which is the path on
the drive itself. However, when I pass it to the user land scanner, I need
the full source path of the file being copied into the drive. How do I get
it?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

BradyT · December 12, 2009, 1:54pm

The full name I get in PostCreate() is \Device\Harddisk1\DP(1)0-0+7\test.txt - but \Device\Harddisk1\DP(1)0-0+7\ is the USB drive volume name. I am copying from C:\Documents\test.txt to this USB drive. How can I get the pathname C:\Documents\test.txt? That’s the one I need to pass to the scanner for scanning, not the full path of the destination.

Lyndon_J_Clarke-2 · December 12, 2009, 5:19pm

I am sorry, but you are not going to like the answer.

If a file is copied from a first volume (perhaps “C:”) to a second volume
(perhaps USB) and you have a filter attached only to the second volume,
there is no way at all for your filter to have knowledge of file operations
on the first volume.

If you will attach your filter to both the first and second volumes then you
will be able to observe file operations on both volumes. What you will see
here is a file being opened on the fist volume, and read, and a file being
opened on the second volume, and written. I do not believe you will not be
able to form the relationship between the file object on the second volume
and the file object on the first volume.

So I am afraid it’s back to the drawing board time for you. Here is a
suggestion for a different kind of picture - when the file which has been
written on the second volume (USB drive) is being closed (IRP_MJ_CLEANUP),
now scan that file.

Good luck,
Lyndon

wrote in message news:xxxxx@ntfsd…
> My scanner filter is attached to my USB drive volume. I want to scan any
> writes to the drive and block it if the file is infected. I got the name
> of the file in PostCreate. In PostCreate, the normalized file name in the
> file name structure \Device\Harddisk1\DP(1)0-0+5..xxx.txt which is the
> path on the drive itself. However, when I pass it to the user land
> scanner, I need the full source path of the file being copied into the
> drive. How do I get it?
>

BradyT · December 12, 2009, 11:39pm

Thanks Lyndon. The final goal is to not even permit a file to be written/created to the USB drive if the scan failed and the file is infected. Hence I guess my only option would be to attach to all volumes present on the host. Because the file could be copied to the USB drive from anywhere.

I was trying to avoid the scenario wherein I have to scan infected files on all the volumes on the system - but I guess there is no way to avoid that?

Any idea if this is how malware protection on commercial encrypted USB drives are also implemented?

OSR_Community_User · December 13, 2009, 12:47pm

> Any idea if this is how malware protection on commercial encrypted USB drives are also

implemented?

Most have no malware protection, and rely on usual antivirus for this.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

BradyT · December 13, 2009, 7:11pm

okay, so given that I got the normalized name like \Device\HarddiskVolume1\Documents and
Settings\My Documents\test.txt, how do I get the DOS path name like
C:\Documents and Settings\My Documents\test.txt?

QueryDosDevice() as suggested above errors out.

Lyndon_J_Clarke-2 · December 13, 2009, 8:04pm

The very best thing in your driver is to parse the name using the FltMgr
API. Get the volume GUID and pass the volume as GUID and file name relative
to volume up to your user mode thing. Your user mode thing can proceed from
there. Yet, having written this, what about a rename in the meantime? Maybe
get the NTFS file reference number, if you are atop NTFS?

wrote in message news:xxxxx@ntfsd…
> okay, so given that I got the normalized name like
> \Device\HarddiskVolume1\Documents and
> Settings\My Documents\test.txt, how do I get the DOS path name like
> C:\Documents and Settings\My Documents\test.txt?
>
> QueryDosDevice() as suggested above errors out.
>