— “Maxim S. Shatskih”
wrote:
> > Unloading
> > This can be done more easily with hooking. What’s
> one
>
> You cannot unload the hooker driver. Just forget
> about it. There is no stable
> ways of doing this.
Why not if MS had the OS control the chaining? MS can
now unload mini-filters…seems more complicated to do
that.
>
> Anyway unloading is not an issue and gives no market
> value to the product.
One thing that occurs to me is upgrading your filter
without a reboot. Yeah, you can do the two driver
thing, but that’s a hassle.
Split the driver into two pieces then - one that can be unloaded, one
that cannot. This is the solution I’ve suggested for many years for
file system filter drivers (which ALSO cannot be unloaded safely). It
should work for other types of solutions as well.
Customers might like to upgrade without rebooting, but they won’t like
it if they end up rebooting anyway because the system crashes. But it
is rather obvious if you have TWO drivers that both patch, unloading the
logically lower one will cause invalidation of the address stored in the
upper one.
Note: I’m not endorsing code patching, call table patching, or other
system code modification mechanisms. In my experience they are used far
more often than they should, generally by developers that do not
understand how to achieve their goals within the OS-provided model.
Without a radical change in the OS architecture, however, there’s no way
to prevent such behavior.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the Next OSR File Systems Class October
18, 2004 in Silicon Valley!
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Vossen, Joseph (ISS
Atlanta)
Sent: Wednesday, October 27, 2004 10:02 AM
To: ntfsd redirect
Subject: RE: Understanding Microsoft’s Stance on Hooking (was re:
[ntfsd] Hooksys example… )
> Unloading This can be done more easily with hooking. What’s one
You cannot unload the hooker driver. Just forget about it.
There is no stable ways of doing this.Anyway unloading is not an issue and gives no market value to the
product.
That is not entirely true; unloading such that you may perform an
upgrade without a reboot is a wonderful feature to provide to your
customers.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes I agree I do have a bias toward hooking, since there were many
situations since nt3.51, I didnot have much options but to hook away, so it
would be futile to traces all those scenarios here:). In the past I did
mention some of them. In any case, our observation is that hooking does have
performance gain in certain situation, but that should not be the reason to
hook. There were other situation(s), when we needed it absoultely, for lot
of security people “Hardening is right around the kernel mode”, even binary
analysis is from krnl mode. Still today, quite a few companies tries to give
me work around these area, and I couldn’t justify more about having the
facility to take some control of the os, well of course, unless I think they
are really really … stupid, and I sincerely dont think they are stupid
Also one thing I go after ( of course if really really needed ) is to have a
canonical hooking. FOR EXAMPLE, TO TAILOR THE BEHAVIOR OF REGISTRY APIs, one
does not need to hook all the Zw*() we can think of, only a few.
ONLY THING I CAN THINK OF IS THAT MS PROVIDES CALL-BACK MECHANISM, AND BEING
A CENTRAL POINT, IT SHOULD BE ABLE TO CATCH IF A CHAIN HAS SOME STALE
REGISTRATION, AND FIX IT. Exception handling could be thought of as
call-back registration ( is a stack fashion) and the default handling is
provided by OS…
Oh well, …
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Randy Cook
Sent: Wednesday, October 27, 2004 7:26 AM
To: Windows File Systems Devs Interest List
Subject: Re: Understanding Microsoft’s Stance on Hooking (was re:
[ntfsd] Hooksys example… )
— “Maxim S. Shatskih”
wrote:
> > Unloading
> > This can be done more easily with hooking. What’s
> one
>
> You cannot unload the hooker driver. Just forget
> about it. There is no stable
> ways of doing this.
Why not if MS had the OS control the chaining? MS can
now unload mini-filters…seems more complicated to do
that.
>
> Anyway unloading is not an issue and gives no market
> value to the product.
One thing that occurs to me is upgrading your filter
without a reboot. Yeah, you can do the two driver
thing, but that’s a hassle.
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> Why not if MS had the OS control the chaining? MS can
now unload mini-filters…seems more complicated to do
that.
As Tony said, unloading the earlier hooker before the later one will break the
chain for the later one.
One thing that occurs to me is upgrading your filter
without a reboot. Yeah, you can do the two driver
thing, but that’s a hassle.
There is no way of doing this if the filter is attached to the SystemRoot
filesystem.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> But HERE’s the fundamental problem: It’s true that many (er, I’d argue
most) of the reasons people hook various things is out of ignorance.
Not necessary.
For instance, you want to block executing some EXEs by full pathnames. Using
FSF and checking for “execute” access is not a good idea - it is used in lots
of other scenarios, which are undistinguishable by DesiredAccess only.
So, hooks are the only solution.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
I think the point, Max, is not “there are no legitimate reasons to
implement a patch/hook” but rather that for some people this is their
FIRST means of implementing functionality, not their LAST means.
Those of us that have been doing this for a while know that there are
always unusual cases where we do things we’d rather not do. But that’s
a different school than the folks that say “I’m going to do it this
messy and unsupported way because it is the easiest way FOR ME”.
If all we want to do is add horrible ways to implement functionality,
and reasons that I might do so I’ll contribute my own: I want inverted
page tables, because I want to be able to build robust, reliable,
scalable distributed shared memory modeled clustered (or distributed)
file systems. The powers that be have determined that this
functionality is not important to Windows and the cost associated with
it is too high to add this functionality. The memory manager provides
no mechanism for me to do this in a clean and supported fashion - but I
*can* do it if I am willing to hook and patch a sufficient amount of
code.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, October 27, 2004 2:50 PM
To: ntfsd redirect
Subject: Re: Re:[ntfsd] Understanding Microsoft’s Stance on Hooking (was
re: Hooksys example… )
But HERE’s the fundamental problem: It’s true that many (er, I’d
argue
most) of the reasons people hook various things is out of ignorance.
Not necessary.
For instance, you want to block executing some EXEs by full pathnames.
Using
FSF and checking for “execute” access is not a good idea - it is used in
lots
of other scenarios, which are undistinguishable by DesiredAccess only.
So, hooks are the only solution.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
AcquireFileForCreateSection() is already filterable, and you can fail
it. And you can look for desired access in this callback.
Ravi
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, October 27, 2004 11:50 AM
To: Windows File Systems Devs Interest List
Subject: Re: Re:[ntfsd] Understanding Microsoft’s Stance on Hooking (was
re: Hooksys example… )
But HERE’s the fundamental problem: It’s true that many (er, I’d
argue
most) of the reasons people hook various things is out of ignorance.
Not necessary.
For instance, you want to block executing some EXEs by full pathnames.
Using FSF and checking for “execute” access is not a good idea - it is
used in lots of other scenarios, which are undistinguishable by
DesiredAccess only.
So, hooks are the only solution.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I could be totally wrong, as often I’m !. But if we turn the question around and try to find, “What are the most reasons people trying to hook and/or patch” ?. Does it give any answer ?. We can use ntdev/ntfsd is a sampling pot !, can’t we ?. Hope no one is hooking to spit out a msg window, I’m a hooker !.
Most if not all are trying to solve problems around mostly security area…
VPN
firewall
antivirus
unauthorized programms
IDS
etc.
etc.
May be MS should provide some reference implementations of those, and how they fit together in the current architecture !!!
What new comers would do ?. They will look for examples, they would reverese engineer the ( may be crap ) I did put together some time ago or someone else did put together, and where would they land …
I think it was intentional on MS’s part not to get into those areas, first because it might create another PR problems, second since it is not their major emphais in the past, they are not quite sure how to justify doing their way, in fact they might not have fully discovered the best ways !!!
But if there are some examples that comes with substances ( architectural gain, simplicity, performance) noone in their right mind would follow my .sys and reverse engineer the crap …
Just a thought…
-pro
It seems quite likely that a substantial preponderance are trying to
write malware, but attempt to cloak their purposes with other
explanations.
Shall we provide reference instructions for that?
Benson, U just pointed out another twist to it. Yeah, that will drive me nuts. But then again if anyone is able to get hold of the kernel mode, we all are pretty much out to lunch :).
What I meant to say is there any legitimate way(s) we can provide those examples, surely w/o patching/hokking, and I’m not saying exposing all the *.c files from MS, that would be horrible. Just architectural outline, and sample(s) for how to do it, so that noone lands on bad practices … They have to be at a level like other examples of ddk …
Then of course, there are situation(s) and exception when some one would go that route and take the risk on their own. But I think we could reduce the interest, assuming those who are asking these features are honest, of hooking, and by all means they would try to avoid …
-pro
The scariest ones are people who should know better but want malware. I’ve
had a couple calls from firms that should know better of the form: “Our
developer put together a great application but it only works for the
Administrator. We need everyone to be able to use it, so we would like a
driver that for programs in the XYZ directory turns off security for this
list of things …” I try to warn them off and suggest alternatives, but I
suspect they may have found some idiot to do it!
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Benson Margulies” wrote in message
news:xxxxx@ntfsd…
It seems quite likely that a substantial preponderance are trying to
write malware, but attempt to cloak their purposes with other
explanations.
Shall we provide reference instructions for that?