Hey guys, sorry for going off half-cocked before. Here’s more info.
I modified the user space minispy app to allow me to kick off a monitoring thread. The thread is fairly standard, but contains this chunk of code that watches for the volume to get mounted, and then tries to mount it in a loop until it succeeds. (Yes, I know this is terrible, and should never be done in production, but this is a learning exercise.)
do {
assert((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION, FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <= (sizeof(buffer) - sizeof(WCHAR)));
Analysis_assume((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION, FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <= (sizeof(buffer) - sizeof(WCHAR)));
volumeBuffer->FilterVolumeName[volumeBuffer->FilterVolumeNameLength / sizeof(WCHAR)] = UNICODE_NULL;
instanceCount = IsAttachedToVolume(volumeBuffer->FilterVolumeName);
// If this is the right one baby, (un huh)
if (0 == _wcsnicmp(volumeBuffer->FilterVolumeName, L"\Device\<1st 5 of device name goes here>", 13))
{
printf(“Found it! [%ws]\n”, volumeBuffer->FilterVolumeName);
do
{
hResult = FilterAttach( MINISPY_NAME,
volumeBuffer->FilterVolumeName,
NULL, // instance name
0,
0);
if (SUCCEEDED( hResult ))
{
printf( “Attached!\n”);
}
else
{
printf( “\n Could not attach to device: 0x%08x\n”, hResult );
DisplayError( hResult );
Sleep(100);
}
}
while(!SUCCEEDED( hResult ));
done = TRUE;
break;
}
} while (SUCCEEDED(hResult = FilterVolumeFindNext(volumeIterator,
FilterVolumeBasicInformation,
volumeBuffer,
sizeof(buffer) - sizeof(WCHAR), //save space to null terminate name
&volumeBytesReturned)));
When I pipe the output to a file, I get this:
Connecting to filter’s port…
Creating logging thread…
Dos Name Volume Name Status
\Device\Mup
C: \Device\HarddiskVolume2
\Device\HarddiskVolume1
\Device\HarddiskVolumeShadowCopy3
Hit [Enter] to begin command mode…
Log to file logging.txt
Thread started!
Found it! [\Device<devicename goes here>]
Could not attach to device: 0x80070003
The system cannot find the path specified.
(Repeats 138 times)
Could not attach to device: 0x80070005
Access is denied.
(Repeats 167 times)
(I shut down the app here)
Could not attach to device: 0x80070003
The system cannot find the path specified.
(Repeats 46 times before I can stop minispy.)
And lastly, this is what I get from the minispy log file:
Opr SeqNum PreOp Time PostOp Time Process.Thrd Major Operation Minor Operation IrpFlags DevObj FileObj Transactn status:inform Arg 1 Arg 2 Arg 3 Arg 4 Arg 5 Arg 6 Name
— ---------- ------------ ------------ ------------- ----------------------------------- ----------------------------------- --------------- ------------------ ------------------ ------------------ ----------------------------- ------------------ ------------------ ------------------ ------------------ ------------------ ---------- --------------------------------------------------
FIO 0x000002D4 13:22:09:230 13:22:10:275 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003F0E060 0x0000000000000000 0x0000000000000000 0xc0000013:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D5 13:22:10:337 13:22:10:337 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8006818250 0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D6 13:22:10:337 13:22:10:337 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D7 13:22:19:744 13:22:19:744 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800401E300 0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D8 13:22:19:760 13:22:19:760 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003FEC630 0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D9 13:22:19:760 13:22:19:760 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA80041A1060 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DA 13:22:19:775 13:22:19:838 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DB 13:22:22:209 13:22:22:209 990.6e0 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800497F340 0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000 0x0000000000000003 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DC 13:22:22:209 13:22:22:240 990.6e0 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003F4E060 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000003 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
So, my question is. How do I get around the “Access is denied” response on the FilterAttach call? (Yes, everything is run as admin).
-Frank
------ Original Message ------
From: “Gabriel Bercea” >
To: “Windows File Systems Devs Interest List” >
Sent: 2/6/2017 12:55:01 AM
Subject: Re: [ntfsd] Minifilter attach to locked volume?
You are not able to attach to it is not enough information.
What is the error you are getting ?
Are you not notified for instance setup ?
You have to give us a little more to go on.
Gabriel.
www.kasardia.comhttp:
On Mon, Feb 6, 2017 at 7:57 AM, > wrote:
Hey guys, I’m tinkering with the minispy sample app from MS.
If I have a locked volume, I am unable to attach to it. But, running Procmon, or filespy, I can see AVG & MS Security Essentials attaching to it, and checking files on it.
What gives? What am I missing?
-Frank
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
–
Bercea. G.
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>