If the InitInstance callback is NULL, the FM automatically attaches my filter to any new volumes added? If this is so, why does the MiniSpy userspace app have a command to attach to volumes? (Since it’s automatic, right?)
-Frank
------ Original Message ------
From: “PScott” >
To: “Windows File Systems Devs Interest List” >
Sent: 2/21/2017 10:14:32 AM
Subject: Re[2]: [ntfsd] Minifilter attach to locked volume? (Part 2)
That is correct. Once you register with FM, your InitInstance callback will be invoked for all currently mounted volumes as well as any new volumes introduced into the system.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “Frank Rizzo” >
To: “Windows File Systems Devs Interest List” >
Sent: 2/19/2017 4:18:55 PM
Subject: Re: [ntfsd] Minifilter attach to locked volume? (Part 2)
The more I read, the more questions I have.
The minispy app has NULL for the InstanceSetupCallback inside the FLT_REGISTRATION struct that it uses. MSDN says:
“The filter manager calls this routine to allow the minifilter driver to respond to an automatic or manual attachment request. If this routine returns an error or warning NTSTATUS code, the minifilter driver instance is not attached to the given volume. Otherwise, the minifilter driver instance is attached to the given volume.”
If I am reading that correctly, there should be NO NEED for the userspace app to tell the driver to attach to a volume mounted after the minispy driver is registered with FltMgr. Is this correct?
-Frank
------ Original Message ------
From: “Frank Rizzo” >
To: “Windows File Systems Devs Interest List” >
Sent: 2/16/2017 9:39:38 PM
Subject: [ntfsd] Minifilter attach to locked volume? (Part 2)
Hey guys, sorry for going off half-cocked before. Here’s more info.
I modified the user space minispy app to allow me to kick off a monitoring thread. The thread is fairly standard, but contains this chunk of code that watches for the volume to get mounted, and then tries to mount it in a loop until it succeeds. (Yes, I know this is terrible, and should never be done in production, but this is a learning exercise.)
do {
assert((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION, FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <= (sizeof(buffer) - sizeof(WCHAR)));
Analysis_assume((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION, FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <= (sizeof(buffer) - sizeof(WCHAR)));
volumeBuffer->FilterVolumeName[volumeBuffer->FilterVolumeNameLength / sizeof(WCHAR)] = UNICODE_NULL;
instanceCount = IsAttachedToVolume(volumeBuffer->FilterVolumeName);
// If this is the right one baby, (un huh)
if (0 == _wcsnicmp(volumeBuffer->FilterVolumeName, L"\Device\<1st 5 of device name goes here>", 13))
{
printf(“Found it! [%ws]\n”, volumeBuffer->FilterVolumeName);
do
{
hResult = FilterAttach( MINISPY_NAME,
volumeBuffer->FilterVolumeName,
NULL, // instance name
0,
0);
if (SUCCEEDED( hResult ))
{
printf( “Attached!\n”);
}
else
{
printf( “\n Could not attach to device: 0x%08x\n”, hResult );
DisplayError( hResult );
Sleep(100);
}
}
while(!SUCCEEDED( hResult ));
done = TRUE;
break;
}
} while (SUCCEEDED(hResult = FilterVolumeFindNext(volumeIterator,
FilterVolumeBasicInformation,
volumeBuffer,
sizeof(buffer) - sizeof(WCHAR), //save space to null terminate name
&volumeBytesReturned)));
When I pipe the output to a file, I get this:
Connecting to filter’s port…
Creating logging thread…
Dos Name Volume Name Status
-------------- ------------------------------------ --------
\Device\Mup
C: \Device\HarddiskVolume2
\Device\HarddiskVolume1
\Device\HarddiskVolumeShadowCopy3
Hit [Enter] to begin command mode…
> Log to file logging.txt
>Thread started!
>Found it! [\Device<devicename goes here>]
Could not attach to device: 0x80070003
The system cannot find the path specified.
(Repeats 138 times)
Could not attach to device: 0x80070005
Access is denied.
(Repeats 167 times)
(I shut down the app here)
Could not attach to device: 0x80070003
The system cannot find the path specified.
(Repeats 46 times before I can stop minispy.)
And lastly, this is what I get from the minispy log file:
Opr SeqNum PreOp Time PostOp Time Process.Thrd Major Operation Minor Operation IrpFlags DevObj FileObj Transactn status:inform Arg 1 Arg 2 Arg 3 Arg 4 Arg 5 Arg 6 Name
— ---------- ------------ ------------ ------------- ----------------------------------- ----------------------------------- --------------- ------------------ ------------------ ------------------ ----------------------------- ------------------ ------------------ ------------------ ------------------ ------------------ ---------- --------------------------------------------------
FIO 0x000002D4 13:22:09:230 13:22:10:275 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003F0E060 0x0000000000000000 0x0000000000000000 0xc0000013:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D5 13:22:10:337 13:22:10:337 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8006818250 0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D6 13:22:10:337 13:22:10:337 588.604 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D7 13:22:19:744 13:22:19:744 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800401E300 0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D8 13:22:19:760 13:22:19:760 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003FEC630 0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002D9 13:22:19:760 13:22:19:760 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA80041A1060 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DA 13:22:19:775 13:22:19:838 990.f44 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000008 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DB 13:22:22:209 13:22:22:209 990.6e0 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800497F340 0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000 0x0000000000000003 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
FIO 0x000002DC 13:22:22:209 13:22:22:240 990.6e0 IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003F4E060 0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000 0x0000000000000003 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000
So, my question is. How do I get around the “Access is denied” response on the FilterAttach call? (Yes, everything is run as admin).
-Frank
------ Original Message ------
From: “Gabriel Bercea” >
To: “Windows File Systems Devs Interest List” >
Sent: 2/6/2017 12:55:01 AM
Subject: Re: [ntfsd] Minifilter attach to locked volume?
You are not able to attach to it is not enough information.
What is the error you are getting ?
Are you not notified for instance setup ?
You have to give us a little more to go on.
Gabriel.
www.kasardia.comhttp:
On Mon, Feb 6, 2017 at 7:57 AM, > wrote:
Hey guys, I’m tinkering with the minispy sample app from MS.
If I have a locked volume, I am unable to attach to it. But, running Procmon, or filespy, I can see AVG & MS Security Essentials attaching to it, and checking files on it.
What gives? What am I missing?
-Frank
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
–
Bercea. G.
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></http:></http:></http:>