Minifilter to strip out Files or Folders

Hi, I have been playing with the minispy sample application from microsoft and whilst its starting to make a whole lot more sense I am still like a fish out of water!
Can anyone give me any pointers how I would go about removing folders from a folder on opening?

IE user opens c:\patha which contains folderA and folderB, I want to hide folderB.
Does this needs to be a PostOperationCallback on a IRP_MJ_CREATE operation?
Any pointers would be much appreciated.

Thank you in advance!

You would process the directory enumeration post callback, removing the
entry from the listing. This will prevent the entry from being
discovered though if it is still known by someone they can still open it
so you would prevent opening in precreate and fail with not_found, or
similar.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 9/25/2017 4:47:37 AM
Subject: [ntfsd] Minifilter to strip out Files or Folders

>Hi, I have been playing with the minispy sample application from
>microsoft and whilst its starting to make a whole lot more sense I am
>still like a fish out of water!
>Can anyone give me any pointers how I would go about removing folders
>from a folder on opening?
>
>IE user opens c:\patha which contains folderA and folderB, I want to
>hide folderB.
>Does this needs to be a PostOperationCallback on a IRP_MJ_CREATE
>operation?
>Any pointers would be much appreciated.
>
>Thank you in advance!
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

Just to add to what Pete said, in IRP_MJ_DIRECTORY_CONTROL you’ll need to at
least handle queries for:

FileDirectoryInformation
FileFullDirectoryInformation
FileIdFullDirectoryInformation
FileNamesInformation
FileBothDirectoryInformation
FileIdBothDirectoryInformation

In IRP_MJ_CREATE you’ll need to fail attempts to open or create the paths
you want to hide. You’ll also want to fail attempts to open/create
files/directories under the paths. How you fail these will depend on the
behavior you want. For example, under normal circumstances if “c:\path” DOES
NOT exist you get the following behaviors:

* Attempt to open “c:\path” == STATUS_OBJECT_NAME_NOT_FOUND

* Attempt to create “c:\path” == STATUS_SUCCESS if you have add child access
to "c:", STATUS_ACCESS_DENIED otherwise (there are more errors, but these
would be common)

* Attempt to open “c:\path\foo.txt” == STATUS_OBJECT_PATH_NOT_FOUND

* Attempt to create “c:\path\foo.txt” == STATUS_OBJECT_PATH_NOT_FOUND

You need to decide if you want to mirror this behavior in your filter or
provide different behavior (e.g. just always return STATUS_ACCESS_DENIED).
Be prepared that you’re probably going to have application compatibility
problems either way.

You’ll also need to police rename operations so that someone doesn’t rename
into/out of a hidden a location. You’ll also need to police hard link
operations so that someone doesn’t create an alternate path to a hidden
location.

Also, don’t forget about short and long names. So, if you’re trying to hide
“THIS IS A LONG FOLDER” then someone might try to open “THISIS~1”.

I don’t mean for the above to be an exhaustive list, just noting some things
you’ll need to start thinking about and dealing with.

-scott
OSR
@OSRDrivers

Thank you very much for your assistance thus far, I will try and progress as much as I can, I really appreciate all the guidance!