hey!
I’m having a look at a filter driver that monitors files for modifications and backs them up somewhere, it will not always back content up but only in case it identifies what is considered by it “suspicious” (say multiple file modifications in a short space of time to documents)
what I find weird is it gets a stream handle context during the pre operation for write , but the context is allocated at cleanup…? what I expected is that it will be allocated somewhere at file create which it doesnt even filter at all … can anyone elighten me into why would one use such design to backup file content for potential need to restore it? how could that work ?
here’s the preoperation for file writes
`_*_int64 __fastcall preop_file_write(__int64 Data, __int64 FltObjects, _QWORD Context)
{
__int64 v4[3]; // [rsp+20h] [rbp-18h] BYREF
v4[0] = 0i64;
FltGetStreamHandleContext(*(_QWORD *)(FltObjects + 0x18), *(_QWORD *)(FltObjects + 32), v4);
if ( !v4[0] )
return 1i64;
*Context = v4[0];
return 0i64;
}`
and the pre operation for file cleanup
*`__int64 __fastcall preop_cleanup(__int64 Data, __int64 FltObjects, _QWORD Context)
{
__int64 context_type_stream_handle; // rdx
int v5; // eax
__int64 v6; // rax
__int64 info_token_and_sid; // rax
char v8; // [rsp+30h] [rbp-38h]
int status; // [rsp+34h] [rbp-34h]
unsigned int RequestorProcessId; // [rsp+3Ch] [rbp-2Ch]
__int64 returned_context; // [rsp+40h] [rbp-28h] BYREF
__int64 file_name_information; // [rsp+48h] [rbp-20h] BYREF
__int64 v13[3]; // [rsp+50h] [rbp-18h] BYREF
returned_context = 0i64;
if ( !sub_180037C30(Data) )
return 1i64;
if ( (int)FltGetFileNameInformation(Data, 1026i64, &file_name_information) < 0 )
return 1i64;
status = FltParseFileNameInformation(file_name_information);
if ( status >= 0 )
{
LOWORD(context_type_stream_handle) = 0x10;
status = FltAllocateContext(filter, context_type_stream_handle, 280i64, 0i64, &returned_context);
if ( status >= 0 && returned_context )
{
memset(returned_context, 0i64, 280i64);
RequestorProcessId = FltGetRequestorProcessId(Data);
v13[0] = 0i64;
lookup_avl_table_two(RequestorProcessId, v13);
some_string_ops_one_filename(returned_context, file_name_information + 8);
some_string_ops_one_filename(returned_context + 8, file_name_information + 56);
v5 = insert_generic_avl_table(*(_QWORD *)returned_context);
*(_DWORD *)(returned_context + 16) = v5;
*(_BYTE *)(returned_context + 20) = 0;
*(_BYTE *)(returned_context + 21) = *(_WORD *)(file_name_information + 72) != 0;
*(_QWORD *)(returned_context + 24) = 0i64;
sub_180043890(returned_context + 32);
*(_DWORD *)(returned_context + 40) = RequestorProcessId;
v6 = get_avl_table_element_and_do_something(v13[0]);
*(_QWORD *)(returned_context + 48) = v6;
*(_QWORD *)(returned_context + 56) = *(_QWORD *)(Data + 8);
info_token_and_sid = query_info_token(Data);
*(_QWORD *)(returned_context + 64) = info_token_and_sid;
*(_BYTE *)(returned_context + 104) = *(_BYTE *)(Data + 80);
*(_DWORD *)(returned_context + 108) = *(unsigned __int16 )((_QWORD *)(Data + 16) + 42i64);
*(_DWORD *)(returned_context + 112) = *(_DWORD )((_QWORD *)(Data + 16) + 32i64) & 0xFFFFFF;
*(_DWORD )(returned_context + 116) = (unsigned __int8)HIBYTE((_DWORD )((_QWORD *)(Data + 16) + 32i64));
*(_DWORD *)(returned_context + 120) = *(_DWORD )((_QWORD )((_QWORD *)(Data + 16) + 24i64) + 16i64);
*(_QWORD *)(returned_context + 128) = 0i64;
*(_DWORD *)(returned_context + 140) = 0;
}
FltReleaseFileNameInformation(file_name_information);
if ( (unsigned __int8)verify_version_info() && status >= 0 && returned_context )
{
sub_180035E50(Data, returned_context + 80, returned_context + 72, returned_context + 96);
status = 0;
}
}
else
{
FltReleaseFileNameInformation(file_name_information);
}
if ( status >= 0 && returned_context )
{
if ( (unsigned __int8)sub_1800350E0(Data, FltObjects, returned_context) )
{
v8 = 0;
if ( *(_DWORD )((_QWORD )((_QWORD *)(Data + 16) + 24i64) + 16i64) != *(_DWORD *)(returned_context + 120) )
{
*(_DWORD )((_QWORD )((_QWORD *)(Data + 16) + 24i64) + 16i64) = *(_DWORD *)(returned_context + 120);
v8 = 1;
}
if ( *(unsigned __int16 )((_QWORD *)(Data + 16) + 42i64) != *(_DWORD *)(returned_context + 108) )
{
*(_WORD )((_QWORD *)(Data + 16) + 42i64) = *(_WORD *)(returned_context + 108);
v8 = 1;
}
if ( v8 )
FltSetCallbackDataDirty(Data);
*Context = returned_context;
return 0i64;
}
else
{
FltReleaseContext(returned_context);
*(_DWORD *)(Data + 24) = -1073741790;
*(_QWORD *)(Data + 32) = 0i64;
return 4i64;
}
}
else
{
if ( returned_context )
FltReleaseContext(returned_context);
return 1i64;
}
}`
and lastly the post operation for cleanup where the context is set
`__int64 __fastcall postop_cleanup(__int64 Data, __int64 FltObjects, __int64 Context)
{
__int64 v5[3]; // [rsp+40h] [rbp-18h] BYREF
if ( !Context )
return 0i64;
*(_QWORD *)(Context + 128) = *(_QWORD *)(Data + 32);
if ( *(int *)(Data + 24) >= 0 )
sub_1800378C0(Data, FltObjects, Context);
sub_1800351B0(FltObjects, Data, Context);
if ( *(int *)(Data + 24) >= 0 )
{
v5[0] = 0i64;
*(_QWORD *)(Context + 88) = *(_QWORD )(FltObjects + 32);
** FltSetStreamHandleContext((_QWORD *)(FltObjects + 24), (_QWORD )(FltObjects + 32), 0i64, Context, v5);
if ( v5[0] )
FltReleaseContext(v5[0]);
FltReleaseContext(Context);
return 0i64;
}
else
{
FltReleaseContext(Context);
return 0i64;
}
}`