There are a number of challenges here, first think about the problem of a
program that just opened the file EXCLUSIVE, you then pass the file name to
the user mode application and it of course cannot open the file.
You may want to look at having the driver giving support to the user mode
application. A simple model is if the file is being opened so it can be
read, then pass it to user mode application for the check. Cases where it
cannot be read, either where the permissions are not correct or the call
caused the file to be overwritten are handled special. When the user mode
application gets the file name it also gets a token it can use to call back
to the file system driver with to read data from the file. The token can be
as simple as an unsigned integer identifying the file in question.
Another question on your design, is your user mode application checked for
on opens, if not there is a deadlock, since notepad opens the file, then
your filter calls your user mode application which opens the file, and is
waiting on the completion of the open, but your filter is sending a message
that a user mode app (in this case yours) is opening the file, so is
blocking till you service it!
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kamil someone
Sent: Sunday, April 20, 2014 9:51 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Minifilter Scanner sample
Thanks mr burn. You were right, i open it with a simple console program, and
it’s scanned just once.
Caching makes sense, i will perform it.
Can you say anything about the second question.
I want the driver to report me filenames only, i want to do all the work in
the usermode.
What is the best approach for this, get a file name from driver, scan it, if
it contains a pattern, do not allow to open it, that’s it.
The way i tried ends up with a hang. I didn’t get the problem, but i think
it’s some kind of deadlock, because it hangs in the fopen function.
If i open the file, it says access denied, because it contains the pattern,
everything works, same if i copy or move the file. But if i open a file that
doesnt contain the pattern, write something in it, and save the file,
suddenly it hangs.
No bsod, if i close my app (user mode app) notepad works normally.
Thanks…
20.04.2014, 17:33, “Don Burn” :
> How are you opening the file? ?Explorer and a number of other
> applications are notorious for opening the file multiple times,
> typically each time is to check some characteristic of the file, then
close the handle.
>
> An approach to reduce overhead is to have a cache of the last N files
> opened and “blessed by your user space app” in the driver. ?If the
> file is in the cache, don’t report it.
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of kamil someone
> Sent: Sunday, April 20, 2014 9:24 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Minifilter Scanner sample
>
> Hello guys,
>
> This minifilter catches pre-create, post-create, pre-write, pre-cleanup.
>
> * In pre-create, it checks if the requestor process is our process, if
> so, returns with FLT_PREOP_SUCCESS_NO_CALLBACK, so post is never called.
> * In post-create it calls ScannerpScanFileInUserMode which sends the
> file content (first 1024 bytes though) to user mode app.
> * In pre-write it calls FltSendMessage directly (without using
> ScannerpScanFileInUserMode). I think it sends only the delta, the
> buffer to be written.
> * In pre-cleanup it calls ScannerpScanFileInUserMode if the file was
> created with write rights.
>
> Last two callbacks are not relevant to me, i wont register them, but
> they dont affect my problem anyways.
>
> So i printed every ScannerpScanFileInUserMode call just before
> FltSendMessage (file content sent to user mode by this function.). The
> thing is, it’s called 4 times at every file i open.
>
> I printed the file name and it’s content just before FltSendMessage,
> it’s same, so why user mode process scans the file 4 times but not just
once.
>
> You can see what i mean it the picture better.
>
> http://i.imgur.com/CILs0Zt.png
>
> -------------------------------------------------
>
> Another question.
> I want to send only the file name to the user mode. So user mode app
> opens the file itself and scans the content. In pre-create, driver
> understands that it’s me opening the file, and post-create is never
called.
> Other two callbacks are not registered already.
>
> It seems to work when i open the files, move or copy them. But if i
> open the file and save it, notepad and my user mode app hangs, if i
> close my user mode app, notepad works again.
>
> I open the file with fopen (its only test code), read with fread and
> close after read in user mode. It hangs at fopen function (i put
> prints before and after it). What could be the reason…
>
> I want to do most of the work at user mode, because im very newbie at
> driver development. That’s why i just wanted the file names from the
> driver. I think better than hooking NtCreateFile in user mode 
>
> Thanks in advance.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
