restrict access

i need to create an environment where my files are only accessible from
my application
this includes programs like explorer and services like on access virus
scanners
this can be on a file extension, folder name,partition or volume basis

i can’t depend on windows file security from being used correctly,
users not doing the wrong thing,anti-virus people doing the right thing,…

i can think of 2 possible ways to accomplish this

  1. implement user mode file system on raw disk
    doable but seems like overkill
  2. implement minifilter that will accomplish this task
    after searching this forum and the web i’m not sure
    this is a viable alternative

can anyone provide any insight on this matter

steve

This is not generally a good forum to request information on writting
rootkits.

t.

On Thu, 21 May 2009, Steve Blumsack wrote:

i need to create an environment where my files are only accessible from my
application
this includes programs like explorer and services like on access virus
scanners
this can be on a file extension, folder name,partition or volume basis

i can’t depend on windows file security from being used correctly,
users not doing the wrong thing,anti-virus people doing the right thing,…

i can think of 2 possible ways to accomplish this

  1. implement user mode file system on raw disk
    doable but seems like overkill
  2. implement minifilter that will accomplish this task
    after searching this forum and the web i’m not sure
    this is a viable alternative

can anyone provide any insight on this matter

steve


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

  1. implement user mode file system on raw disk
    doable but seems like overkill

That does not sound like a rootkit to me.

===

The answer is that you can’t prevent what you’re trying to prevent; all you can do is raise the cost to compromise it, which will also raise the costs to develop it, debug, support it; in the case of the minifilter, it might compromise the stability of the system.

So, I guess what I’m saying is that I would suggest you consider how much a solution is worth and then compare it to the cost of development.

Good luck,

mm

>i need to create an environment where my files are only accessible from

my application this includes programs like explorer and services like on
access virus
scanners this can be on a file extension, folder name, partition or volume
basis

  1. WHY do you want to restrict access to that file from explorer and
    antivirus?
  2. WHAT are you trying to achieve?

Regards,
Ayush Gupta
http://www.linkedin.com/in/guptaayush

> 2. implement minifilter that will accomplish this task

after searching this forum and the web i’m not sure
this is a viable alternative

This is OK, but… how will you check that the application is yours?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

The filter is not a good way because it won’t prevent the user from loading the system in safe mode. So only a custom file system with built-in encryption will help.

(marketing content removed)

Sincerely yours,
Eugene Mayevski

i simply want to protect my files from others
this clearly has nothing to do with rootkits

in the past i attempted to do this through windows file security &
excluding my files from virus scanners
this approach didn’t work because with so many machines it was never
done correctly
people would accidentally delete files,leave files open read only,virus
scanners would memory map files
and preclude certain access

this is less a security issue and more an operational issue

the issue of starting in safemode is also not an issue

however writing a mini-filter that deals with issues like “is it my code”,
“is it my data” and other drivers bypassing my filter (virus scanner)
seem to be the biggest problem
maybe they are solvable but i’m not sure how

NTFS as a file system is more than up to the task
which is why writing my own file system to solve this problem
seems like overkill

steve

Hi Steve,

A simple way would be that your application notifies your minifilter by
sending its Process Id via an IOCTL.
And then, upon each IRP_MJ_CREATE, you can check the requestor process id
associated with the callback data in the pre create callback. If it matches
the one that had been sent from your application via the IOCTL interface,
you should allow IRP_MJ_CREATE to proceed, otherwise simply fail and
complete the callback data in your minifilter.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Steve Blumsack
Sent: Friday, May 22, 2009 6:28 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] restrict access

i simply want to protect my files from others
this clearly has nothing to do with rootkits

in the past i attempted to do this through windows file security &
excluding my files from virus scanners
this approach didn’t work because with so many machines it was never
done correctly
people would accidentally delete files,leave files open read only,virus
scanners would memory map files
and preclude certain access

this is less a security issue and more an operational issue

the issue of starting in safemode is also not an issue

however writing a mini-filter that deals with issues like “is it my code”,
“is it my data” and other drivers bypassing my filter (virus scanner)
seem to be the biggest problem
maybe they are solvable but i’m not sure how

NTFS as a file system is more than up to the task
which is why writing my own file system to solve this problem
seems like overkill

steve


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

i’ve tried that approach but on-access virus scanners seem to bypass it
i assume because they are using my handle & file mapping to check the file
and not some form of CreateFile - although i’m not really sure how they work

i’ve also tried unique FileFlagsAndAttributes in CreateFile & PathNames
(although from reading this forum PathNames seem to be problematic)

steve

Ayush Gupta wrote:

Hi Steve,

A simple way would be that your application notifies your minifilter by
sending its Process Id via an IOCTL.
And then, upon each IRP_MJ_CREATE, you can check the requestor process id
associated with the callback data in the pre create callback. If it matches
the one that had been sent from your application via the IOCTL interface,
you should allow IRP_MJ_CREATE to proceed, otherwise simply fail and
complete the callback data in your minifilter.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Steve Blumsack
Sent: Friday, May 22, 2009 6:28 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] restrict access

i simply want to protect my files from others
this clearly has nothing to do with rootkits

in the past i attempted to do this through windows file security &
excluding my files from virus scanners
this approach didn’t work because with so many machines it was never
done correctly
people would accidentally delete files,leave files open read only,virus
scanners would memory map files
and preclude certain access

this is less a security issue and more an operational issue

the issue of starting in safemode is also not an issue

however writing a mini-filter that deals with issues like “is it my code”,
“is it my data” and other drivers bypassing my filter (virus scanner)
seem to be the biggest problem
maybe they are solvable but i’m not sure how

NTFS as a file system is more than up to the task
which is why writing my own file system to solve this problem
seems like overkill

steve


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>i’ve tried that approach but on-access virus scanners seem to bypass it

Why do you want to deny access to antivirus?

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

it detracts from performance & some of them access files in such a way
as to interfere with my code. e.g. SetEndOfFile errors caused by
FileMapping to the
file. i have attempted to have users exempt my files from checking but this
has not proven successful since it is rarely done correctly.

steve

Ayush Gupta wrote:

> i’ve tried that approach but on-access virus scanners seem to bypass it
>

Why do you want to deny access to antivirus?

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>it detracts from performance & some of them access files in such a way

as to interfere with my code. e.g. SetEndOfFile errors caused by FileMapping to the
file. i have attempted to have users exempt my files from checking but this
has not proven successful since it is rarely done correctly.

I would better fix the bug in the code which causes an interop with antivirus.

As about performance - this is not your question, but the user’s. They have the natural right to choose among slow computer with extra bit of security (with antivirus) and faster computer without this protection (no antivirus).


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

After reading this thread, I believe you are attempting to write a root-kit.

You say you don’t want AV or users accessing your files, well, the simple
way
around that is to give your files an extension that is unknown…

AV’s look for files that contain executable code (by extension), i.e. ‘exe’
or ‘vbs’.
Graphics programs look for .jpeg or .avi, ect…

If you simply gave your files an extension of .123xyzRandom all windows
applications
will ask “Open with what?”. Most AV’s will ignore (all mainstream ones
will).

I’m sure those that wrote the Sony CD protection software a few years ago
didn’t think they were writing a Root-kit and thought they we’re doing a
legitimate job.

This technique combined with what Ayush said will solve your problem, that
is if
you weren’t blowing smoke up everyone’s ass - which I believe you were
trying to do.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Steve Blumsack
Sent: Friday, May 22, 2009 7:58 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] restrict access

i simply want to protect my files from others
this clearly has nothing to do with rootkits

in the past i attempted to do this through windows file security &
excluding my files from virus scanners
this approach didn’t work because with so many machines it was never
done correctly
people would accidentally delete files,leave files open read only,virus
scanners would memory map files
and preclude certain access

this is less a security issue and more an operational issue

the issue of starting in safemode is also not an issue

however writing a mini-filter that deals with issues like “is it my code”,
“is it my data” and other drivers bypassing my filter (virus scanner)
seem to be the biggest problem
maybe they are solvable but i’m not sure how

NTFS as a file system is more than up to the task
which is why writing my own file system to solve this problem
seems like overkill

steve


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> After reading this thread, I believe you are attempting to write a root-kit.

Probably.

I feel some despise to the idea of product which disables some functionality of another product without the user’s explicit consent.

This is IMHO tolerable as a part of vertical solution only, with a proper description of this.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

i had hoped to elicit responses from those who had the knowledge (of the
capabilities of minifilters)
and the experience (of writing serious server based software) to
understand the significance of my
issues and were willing to engage in a rational/technical discussion on
its merits.
i guess this is not the appropriate forum. but thanks anyway.

You have gotten responses from people who do know mini-filters and good
kernel software practices. Before you condemn this forum which is the
correct forum for what you want, why don’t you take a look at your original
post and then your later additions.

Gee your original post asks to restrict files from all access, this is a
classic requirement for a rootkit, and something that developers of those
kits ask for commonly. You then deny that is your purpose, but then demand
a way to avoid having virus scanners look at your files, again when you are
questioned you claim that you cannot have them scan your files, but really
do not explain why or how you prevent malware from using your files. Yes,
a number of the malware scanners are a pain in the butt to live with, but a
professional lives with them.

This community is professional enough to be concerned about health of the
system, not just the programmer getting what he wants, if you want useful
information present a good description with an intelligent set of arguments
for what you think you need.


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Steve Blumsack” wrote in message news:xxxxx@ntfsd…
>i had hoped to elicit responses from those who had the knowledge (of the
>capabilities of minifilters)
> and the experience (of writing serious server based software) to
> understand the significance of my
> issues and were willing to engage in a rational/technical discussion on
> its merits.
> i guess this is not the appropriate forum. but thanks anyway.
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4098 (20090522)

>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4098 (20090522)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

On Sat, 23 May 2009, Matt wrote:

AV’s look for files that contain executable code (by extension), i.e. ‘exe’
or ‘vbs’.
Graphics programs look for .jpeg or .avi, ect…

If you simply gave your files an extension of .123xyzRandom all windows
applications
will ask “Open with what?”. Most AV’s will ignore (all mainstream ones
will).

I doubt that is true. All files must be scanned.

You can run program.123xyzRandom, Windows only searches for the exe
extension if you don’t specify an extension, if you specify a random
extension, it will still look at the file and try to interpret it as an
MZ and PE, etc. image file. Try it.

IFFFFFFF A/Vs are becoming a pain for you (though I don’t understand why),
then you can do one of the following:

  1. Check at installation time for the presence of A/Vs and ANNOUNCE to the
    user that your software is not compatible with the A/Vs. IF the user
    chooses your software over the A/V then you will get into the system WITH
    his CONSENT

  2. REQUEST the user to add your files in the exclusion list of his A/V

The BOTTOM line is that is you want to skip the A/V, you have to do it with
the USER’s consent (of course DON’T fool him into doing so!). This is what
decent/ genuine applications should do. Otherwise they are simply MALWARE.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Steve Blumsack
Sent: Saturday, May 23, 2009 9:47 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] restrict access

i had hoped to elicit responses from those who had the knowledge (of the
capabilities of minifilters)
and the experience (of writing serious server based software) to
understand the significance of my
issues and were willing to engage in a rational/technical discussion on
its merits.
i guess this is not the appropriate forum. but thanks anyway.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Not only ALL files, but ALL streams on the filesystems supporting multiple
streams such as NTFS. I have taken notepad.exe or wordpad.exe and copied it
to “TestFile.txt:Secret:Txt”. Then a program can easily execute that steam
and it just works. A normal file is just a stream that is called ‘$Data’ or
something close to it, so no one should be surprised. I have run
‘gpedit.msc’ many times from the ‘Run’ command and that doesn’t match the
‘exe’ or ‘com’ paradigm.

“Erick Engelke” wrote in message
news:xxxxx@ntfsd…
>
> On Sat, 23 May 2009, Matt wrote:
>>
>> AV’s look for files that contain executable code (by extension), i.e.
>> ‘exe’
>> or ‘vbs’.
>> Graphics programs look for .jpeg or .avi, ect…
>>
>> If you simply gave your files an extension of .123xyzRandom all windows
>> applications
>> will ask “Open with what?”. Most AV’s will ignore (all mainstream ones
>> will).
>
> I doubt that is true. All files must be scanned.
>
> You can run program.123xyzRandom, Windows only searches for the exe
> extension if you don’t specify an extension, if you specify a random
> extension, it will still look at the file and try to interpret it as an MZ
> and PE, etc. image file. Try it.
>
>

Yup, as I said, not a good forum to discuss creating rootkits.

t.

On Sat, 23 May 2009, Steve Blumsack wrote:

i had hoped to elicit responses from those who had the knowledge (of the
capabilities of minifilters)
and the experience (of writing serious server based software) to understand
the significance of my
issues and were willing to engage in a rational/technical discussion on its
merits.
i guess this is not the appropriate forum. but thanks anyway.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer