It’s not that simple. Your question is equivalent to “How do I make a car
that cannot crash?” It can’t be done – the entire purpose of a filesystem
is to allow users to view and modify data, in a controlled manner. If the
normal protections of the filesystem are not sufficient, then blocking IRPs
will not help you.
First of all, you need to consider two different cases: 1) The malicious
code is running with Administrator privileges, or 2) The malicious code is
running as an unprivileged user.
If case 1) is true, then there is nothing, NOTHING that your driver, or any
other driver, can do to protect against damage. This is by design. If
malicious code has gained Administrator privileges, the game is over. If
case 2) is true, then simply use ACLs to protect your data.
Even if you block a specific “format disk” IRP, there is nothing that would
prevent the malicious code from simply using normal file APIs to destroy
data. There will always be a way around any protections you can put in
place, if the code is running as Administrator.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of shark mouse
Sent: Wednesday, July 27, 2005 1:12 AM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re:[ntdev] Help about prevent disk from being formatted?
sorry,someone misunderstand my meaning,i just want to do something to
protect my data,if my data disk can be get or move to other machine,then
anything you can do is in vain,so the first thing is that the disk can be
physical protected.
my meaning is that in windows some user can not destroy my data using
formating the disk,just this.
i just want to know which IRP the disk driver use to format the
disk,then i can block the IRP,that is OK!