Question about access flags for create

I have a question about desired access flags in a mini-filter pre-create
callback.

The objective here is to accurately detect read, write and delete
opearations. At the moment, I can’t tell the difference between reading
an existing file and deleting a nonexistant file. I’m also pretty sure
that my read vs. write detection is wrong - I’m using the disposition flags.

The help for ZwCreateFile pretty clearly spells out what’s what but I’m
having a heck of a time associating the various flag bits I get with the
different operations. Rooting around in the header files is really
confusing.

In the filter, I’m using:

FLT_PREOP_CALLBACK_STATUS PreCreateCallback (
PFLT_CALLBACK_DATA Data, …

PFLT_IO_PARAMETER_BLOCK IopbPtr = Data->Iopb;
PFLT_PARAMETERS ParameterPtr = &IopbPtr->Parameters;
PIO_SECURITY_CONTEXT SecurityContextPtr =
ParameterPtr->Create.SecurityContext;
ACCESS_MASK DesiredAccess = SecurityContextPtr->DesiredAccess;

The ACCESS_MASK seems to be what I want but I’ll be darned if I can
associate it, the specified fields/symbols and the bits I’m getting below.

Any comments on the proper way to interpret the ‘DesiredAccess’ value
are appreciated. (or whatever it takes to neet the goal above.)
Regards,
Mickey.

A chunk of a log file with // comments added…

//
// my test app wants to delete any old files. (the files do not exist in
this case)
//
[3520] Calling “DeleteFile (Z:\S.eee)” <<<< 1st WIN32 function
executed
//
// driver gets IRP_MJ_CREATE
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00000080
//
// TestFileOpen() = my routine to open, get attributes. sets flags
‘exists’ & ‘is directory’
//
TestFileOpen() reports file does not exist
//
// my user space reporting app (plays no significant part in this question)
//
[244] filesystem: “s.exe” “openforread” “z:\s.eee”
//
// driver gets 2nd IRP_MJ_CREATE for same WIN32 operation w/ different
access flags
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00010080
TestFileOpen() reports file does not exist
[244] filesystem: “s.exe” “openforread” “z:\s.eee”
//
// test app tries to delete 2nd old file, gets same result
//
[3520] Calling “DeleteFile (Z:\S.fff)” <<<< 2nd WIN32 function
executed
File name = \Device\HarddiskVolume5\S.fff
DesiredAccess = 0x00000080
TestFileOpen reports file exists
[244] filesystem: “s.exe” “openforread” “z:\s.fff”
File name = \Device\HarddiskVolume5\S.fff
DesiredAccess = 0x00010080
TestFileOpen reports file exists
[244] filesystem: “s.exe” “openforread” “z:\s.fff”
//
// test app starts by creating 1st file
//
[3520] Calling “CreateFile (Z:\S.eee, GENERIC_WRITE, 0, 0,CREATE_ALWAYS,
0, 0)” <<<< 3rd WIN32 function executed
//
// driver gets same IRP_MJ_CREATE
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00000080
TestFileOpen() reports file does not exist
//
// then an IRP_MJ_CREATE to open for write
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00120196
TestFileOpen() reports file does not exist
//
// then driver gets IRP_MJ_CREATE for a directory
//
Dir name = \Device\HarddiskVolume5\
DesiredAccess = 0x00100000
TestFileOpen() reports directory exists

Maybe I’m bing a bit too literal. However, if you want to accurately detect
read, write and delete operations, you’d be best off checking just that.
It’s nearly impossible to detect an application’s intent from the
DesiredAccess and Dispostion information on a CREATE. For example, my
favorite system component SFM (Services for Macintosh) likes to SET
properties on files that have NEVER been open with any type of write access
requested. It’s perfectly happy to party on any handy FileObject. Just
because you don’t see write data access requested doesn’t mean you won’t see
WRITE IRPs either.

That being said, I did post a note to this group awhile back about how to
determine if any type of file modification is being requested during CREATE.
This included the rare, but still valid case of how to create a file without
requesting any sort of write access.

See: http://www.osronline.com/showThread.cfm?link=62996

/ted

-----Original Message-----
From: Mickey Lane [mailto:xxxxx@earthlink.net]
Sent: Saturday, August 20, 2005 12:32 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Question about access flags for create

I have a question about desired access flags in a mini-filter pre-create
callback.

The objective here is to accurately detect read, write and delete
opearations. At the moment, I can’t tell the difference between reading
an existing file and deleting a nonexistant file. I’m also pretty sure
that my read vs. write detection is wrong - I’m using the disposition flags.

The help for ZwCreateFile pretty clearly spells out what’s what but I’m
having a heck of a time associating the various flag bits I get with the
different operations. Rooting around in the header files is really
confusing.

In the filter, I’m using:

FLT_PREOP_CALLBACK_STATUS PreCreateCallback (
PFLT_CALLBACK_DATA Data, …

PFLT_IO_PARAMETER_BLOCK IopbPtr = Data->Iopb;
PFLT_PARAMETERS ParameterPtr = &IopbPtr->Parameters; PIO_SECURITY_CONTEXT
SecurityContextPtr =
ParameterPtr->Create.SecurityContext;
ACCESS_MASK DesiredAccess = SecurityContextPtr->DesiredAccess;

The ACCESS_MASK seems to be what I want but I’ll be darned if I can
associate it, the specified fields/symbols and the bits I’m getting below.

Any comments on the proper way to interpret the ‘DesiredAccess’ value
are appreciated. (or whatever it takes to neet the goal above.) Regards,
Mickey.

A chunk of a log file with // comments added…

//
// my test app wants to delete any old files. (the files do not exist in
this case)
//
[3520] Calling “DeleteFile (Z:\S.eee)” <<<< 1st WIN32 function
executed
//
// driver gets IRP_MJ_CREATE
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00000080
//
// TestFileOpen() = my routine to open, get attributes. sets flags
‘exists’ & ‘is directory’
//
TestFileOpen() reports file does not exist
//
// my user space reporting app (plays no significant part in this question)
// [244] filesystem: “s.exe” “openforread” “z:\s.eee” // // driver gets
2nd IRP_MJ_CREATE for same WIN32 operation w/ different
access flags
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00010080
TestFileOpen() reports file does not exist
[244] filesystem: “s.exe” “openforread” “z:\s.eee”
//
// test app tries to delete 2nd old file, gets same result
//
[3520] Calling “DeleteFile (Z:\S.fff)” <<<< 2nd WIN32 function
executed
File name = \Device\HarddiskVolume5\S.fff
DesiredAccess = 0x00000080
TestFileOpen reports file exists
[244] filesystem: “s.exe” “openforread” “z:\s.fff”
File name = \Device\HarddiskVolume5\S.fff
DesiredAccess = 0x00010080
TestFileOpen reports file exists
[244] filesystem: “s.exe” “openforread” “z:\s.fff”
//
// test app starts by creating 1st file
//
[3520] Calling “CreateFile (Z:\S.eee, GENERIC_WRITE, 0, 0,CREATE_ALWAYS,
0, 0)” <<<< 3rd WIN32 function executed
//
// driver gets same IRP_MJ_CREATE
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00000080
TestFileOpen() reports file does not exist
//
// then an IRP_MJ_CREATE to open for write
//
File name = \Device\HarddiskVolume5\S.eee
DesiredAccess = 0x00120196
TestFileOpen() reports file does not exist
//
// then driver gets IRP_MJ_CREATE for a directory
//
Dir name = \Device\HarddiskVolume5\
DesiredAccess = 0x00100000
TestFileOpen() reports directory exists

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

For the time being, your referenced note will do just fine. I have a
fairly limited and well defined set of things I need to detect.

Thanks,
Mickey.

Ted Hess wrote:

[…]

That being said, I did post a note to this group awhile back about how to
determine if any type of file modification is being requested during CREATE.
This included the rare, but still valid case of how to create a file without
requesting any sort of write access.

See: http://www.osronline.com/showThread.cfm?link=62996

/ted