I am fairly new to actually writing file system related code.
Though i have been doing a fair bit of studying for sometime on the subject to get started.
Here is some piece of code to deny a process by capturing acquire for section sync callback.
This seems to be work fine and denies when i launch calc.exe for testing purpose.
ref: https://www.osronline.com/showThread.CFM?link=141439
FLT_PREOP_CALLBACK_STATUS
FsFilterPreOperation(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{
///
if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION)
{
UNICODE_STRING deny_proc_name;
RtlInitUnicodeString(&deny_proc_name, L"\Windows\System32\calc.exe");
FS_FILTER_SECTION_SYNC_TYPE SyncType = Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType;
ULONG PageProtection = Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection;
if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE)
{
if (FltObjects && FltObjects->FileObject)
{
if (RtlCompareUnicodeString(&deny_proc_name, &FltObjects->FileObject->FileName, TRUE) == 0)
{
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE; // this doesn’t allow this I/O to be send down the stack to file system and hence fails it right away
}
}
}
}
///
}
I also tried to register FS_FILTER_CALLBACKS in my driver entry.
The call for registration succeeds without any problem but i don’t get any callbacks via this mechanism.
Is it expected to not get called in the case of mini-filter (works only for legacy filter)
I had followed some previous forum links , where it was suggested that
process execution could be denied in the very initial phase via PreAcquireForSectionSynchronization.
///
FS_FILTER_CALLBACKS fsFilterCallbacks;
RtlZeroMemory(&fsFilterCallbacks, sizeof(FS_FILTER_CALLBACKS));
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks);
fsFilterCallbacks.PreAcquireForSectionSynchronization = MyPreAcquireForSectionSynchronization;
status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks);
///
Is there a difference between the two mechanism ?
Thanks for this community, it has been really helpful in learning.