Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 3  
23 Dec 16 06:53
winnt dev
xxxxxx@gmail.com
Join Date: 23 Dec 2016
Posts To This List: 2
FS_FILTER_CALLBACKS via Mini-Filters

I am fairly new to actually writing file system related code. Though i have been doing a fair bit of studying for sometime on the subject to get started. Here is some piece of code to deny a process by capturing acquire for section sync callback. This seems to be work fine and denies when i launch calc.exe for testing purpose. ref: https://www.osronline.com/showThread.CFM?link=141439 FLT_PREOP_CALLBACK_STATUS FsFilterPreOperation( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) { /// if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) { UNICODE_STRING deny_proc_name; RtlInitUnicodeString(&deny_proc_name, L"\\Windows\\System32\\calc.exe"); FS_FILTER_SECTION_SYNC_TYPE SyncType = Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType; ULONG PageProtection = Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection; if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE) { if (FltObjects && FltObjects->FileObject) { if (RtlCompareUnicodeString(&deny_proc_name, &FltObjects->FileObject->FileName, TRUE) == 0) { Data->IoStatus.Status = STATUS_ACCESS_DENIED; return FLT_PREOP_COMPLETE; // this doesn't allow this I/O to be send down the stack to file system and hence fails it right away } } } } /// } I also tried to register FS_FILTER_CALLBACKS in my driver entry. The call for registration succeeds without any problem but i don't get any callbacks via this mechanism. Is it expected to not get called in the case of mini-filter (works only for legacy filter) I had followed some previous forum links , where it was suggested that process execution could be denied in the very initial phase via PreAcquireForSectionSynchronization. /// FS_FILTER_CALLBACKS fsFilterCallbacks; RtlZeroMemory(&fsFilterCallbacks, sizeof(FS_FILTER_CALLBACKS)); fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks); fsFilterCallbacks.PreAcquireForSectionSynchronization = MyPreAcquireForSectionSynchronization; status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks); /// Is there a difference between the two mechanism ? Thanks for this community, it has been really helpful in learning.
  Message 2 of 3  
03 Jan 17 09:47
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 854
List Moderator
FS_FILTER_CALLBACKS via Mini-Filters

FsRtlRegisterFileSystemFilterCallbacks is only for legacy file system filters (and file systems, if they so choose). Filter Manager provides its own abstractions for these callbacks in the form of pseudo IRP operations (e.g. IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) -scott OSR @OSRDrivers wrote in message news:101991@ntfsd... I am fairly new to actually writing file system related code. Though i have been doing a fair bit of studying for sometime on the subject to get started. Here is some piece of code to deny a process by capturing acquire for section sync callback. This seems to be work fine and denies when i launch calc.exe for testing purpose. ref: https://www.osronline.com/showThread.CFM?link=141439 FLT_PREOP_CALLBACK_STATUS FsFilterPreOperation( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) { /// if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION) { UNICODE_STRING deny_proc_name; RtlInitUnicodeString(&deny_proc_name, L"\\Windows\\System32\\calc.exe"); FS_FILTER_SECTION_SYNC_TYPE SyncType = Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType; ULONG PageProtection = Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection; if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE) { if (FltObjects && FltObjects->FileObject) { if (RtlCompareUnicodeString(&deny_proc_name, &FltObjects->FileObject->FileName, TRUE) == 0) { Data->IoStatus.Status = STATUS_ACCESS_DENIED; return FLT_PREOP_COMPLETE; // this doesn't allow this I/O to be send down the stack to file system and hence fails it right away } } } } /// } I also tried to register FS_FILTER_CALLBACKS in my driver entry. The call for registration succeeds without any problem but i don't get any callbacks via this mechanism. Is it expected to not get called in the case of mini-filter (works only for legacy filter) I had followed some previous forum links , where it was suggested that process execution could be denied in the very initial phase via PreAcquireForSectionSynchronization. /// FS_FILTER_CALLBACKS fsFilterCallbacks; RtlZeroMemory(&fsFilterCallbacks, sizeof(FS_FILTER_CALLBACKS)); fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks); fsFilterCallbacks.PreAcquireForSectionSynchronization = MyPreAcquireForSectionSynchronization; status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks); /// Is there a difference between the two mechanism ? Thanks for this community, it has been really helpful in learning.
  Message 3 of 3  
05 Jan 17 13:34
winnt dev
xxxxxx@gmail.com
Join Date: 23 Dec 2016
Posts To This List: 2
FS_FILTER_CALLBACKS via Mini-Filters

Thanks Scott for the insight.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 20:06.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license