FS_FILTER_CALLBACKS via Mini-Filters

winnt_dev · December 23, 2016, 6:53am

I am fairly new to actually writing file system related code.
Though i have been doing a fair bit of studying for sometime on the subject to get started.

Here is some piece of code to deny a process by capturing acquire for section sync callback.
This seems to be work fine and denies when i launch calc.exe for testing purpose.

ref: https://www.osronline.com/showThread.CFM?link=141439

FLT_PREOP_CALLBACK_STATUS
FsFilterPreOperation(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{
///

if (Data->Iopb->MajorFunction == IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION)
{
UNICODE_STRING deny_proc_name;
RtlInitUnicodeString(&deny_proc_name, L"\Windows\System32\calc.exe");
FS_FILTER_SECTION_SYNC_TYPE SyncType = Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType;
ULONG PageProtection = Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection;
if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE)
{

if (FltObjects && FltObjects->FileObject)
{
if (RtlCompareUnicodeString(&deny_proc_name, &FltObjects->FileObject->FileName, TRUE) == 0)
{
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE; // this doesn’t allow this I/O to be send down the stack to file system and hence fails it right away
}
}
}
}

///
}

I also tried to register FS_FILTER_CALLBACKS in my driver entry.
The call for registration succeeds without any problem but i don’t get any callbacks via this mechanism.
Is it expected to not get called in the case of mini-filter (works only for legacy filter)

I had followed some previous forum links , where it was suggested that
process execution could be denied in the very initial phase via PreAcquireForSectionSynchronization.

///
FS_FILTER_CALLBACKS fsFilterCallbacks;
RtlZeroMemory(&fsFilterCallbacks, sizeof(FS_FILTER_CALLBACKS));
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks);
fsFilterCallbacks.PreAcquireForSectionSynchronization = MyPreAcquireForSectionSynchronization;
status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks);
///

Is there a difference between the two mechanism ?

Thanks for this community, it has been really helpful in learning.

Scott_Noone_OSR · January 3, 2017, 9:47am

FsRtlRegisterFileSystemFilterCallbacks is only for legacy file system
filters (and file systems, if they so choose). Filter Manager provides its
own abstractions for these callbacks in the form of pseudo IRP operations
(e.g. IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION)

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

I am fairly new to actually writing file system related code.
Though i have been doing a fair bit of studying for sometime on the subject
to get started.

Here is some piece of code to deny a process by capturing acquire for
section sync callback.
This seems to be work fine and denies when i launch calc.exe for testing
purpose.

ref: https://www.osronline.com/showThread.CFM?link=141439

FLT_PREOP_CALLBACK_STATUS
FsFilterPreOperation(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{
///

if (Data->Iopb->MajorFunction ==
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION)
{
UNICODE_STRING deny_proc_name;
RtlInitUnicodeString(&deny_proc_name, L"\Windows\System32\calc.exe");
FS_FILTER_SECTION_SYNC_TYPE SyncType =
Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType;
ULONG PageProtection =
Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection;
if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE)
{

if (FltObjects && FltObjects->FileObject)
{
if (RtlCompareUnicodeString(&deny_proc_name,
&FltObjects->FileObject->FileName, TRUE) == 0)
{
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE; // this doesn’t allow this I/O to be send
down the stack to file system and hence fails it right away
}
}
}
}

///
}

I also tried to register FS_FILTER_CALLBACKS in my driver entry.
The call for registration succeeds without any problem but i don’t get any
callbacks via this mechanism.
Is it expected to not get called in the case of mini-filter (works only for
legacy filter)

I had followed some previous forum links , where it was suggested that
process execution could be denied in the very initial phase via
PreAcquireForSectionSynchronization.

///
FS_FILTER_CALLBACKS fsFilterCallbacks;
RtlZeroMemory(&fsFilterCallbacks, sizeof(FS_FILTER_CALLBACKS));
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks);
fsFilterCallbacks.PreAcquireForSectionSynchronization =
MyPreAcquireForSectionSynchronization;
status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject,
&fsFilterCallbacks);
///

Is there a difference between the two mechanism ?

Thanks for this community, it has been really helpful in learning.

winnt_dev · January 5, 2017, 1:34pm

Thanks Scott for the insight.