How to register file operation callback in filter for wpd

hi everyone,

First of all, sorry if this is not the correct list. What i am trying to achieve is to intercept file transfer to WPD (windows portable device) , process the content of the file & block it if necessary based on the content.

I have tried with COM api in user side using IPortableDevice interface. I could register event callback and monitor object added to the device and acquire the content. However it does not seem to allow me to block the operation as the callback event is fired after the transfer is done.

Later i move to WDF and look at toaster sample. my plan at that time is to register my filter as lower filter under Portable Device class. I could get the device attachment & removal, but im not quite sure how to actually register an event callback to filter a file being added to the device. The WpdHelloWorldDriver sample somehow acts as a device driver.

I really appreciate if anyone could give me opinions & hints from their experience. Is what im trying to achieve possible?

thanks

These devices use the Media Transfer Protocol (MTP), so presumably you need
to create an MTP device filter. I haven’t ever tried this and I’m not sure
what the I/O requests look like at that point, but you’re unlikely to find a
relevant sample anywhere.

You can read more about WPD and MTP here:

https://msdn.microsoft.com/en-us/library/windows/hardware/dn614620(v=vs.85).aspx

If I had to do this, I would plug in a WPD device and use DeviceTree
(http://osronline.com/article.cfm?article=97) to look at the branch. I would
then start putting in filters everywhere and printing out the I/O requests
that arrive. From there you can get a feel for how these devices interface
with Windows and how you might value add.

Good luck!

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

hi everyone,

First of all, sorry if this is not the correct list. What i am trying to
achieve is to intercept file transfer to WPD (windows portable device) ,
process the content of the file & block it if necessary based on the
content.

I have tried with COM api in user side using IPortableDevice interface. I
could register event callback and monitor object added to the device and
acquire the content. However it does not seem to allow me to block the
operation as the callback event is fired after the transfer is done.

Later i move to WDF and look at toaster sample. my plan at that time is to
register my filter as lower filter under Portable Device class. I could get
the device attachment & removal, but im not quite sure how to actually
register an event callback to filter a file being added to the device. The
WpdHelloWorldDriver sample somehow acts as a device driver.

I really appreciate if anyone could give me opinions & hints from their
experience. Is what im trying to achieve possible?

thanks

MTP device drivers are UMDF drivers with COM objects used as interface for Explorer. The filtering is achievable in user mode. I worked with the team that implemented filtering and content analysis in user mode. Some hooking functionality were employed to achieve this.

Filtering in kernel mode requires protocol parsing and implementing intermediate buffering for content analysis. I would not recommend to follow this path.

>

Filtering in kernel mode requires protocol parsing and implementing
intermediate buffering for content analysis. I would not recommend to
follow this path.

i agree. i don’t want to go through that path.

Some hooking functionality were employed to achieve this.

About the hooking functionality u mentioned, is it documented anyhere? via
umdf is it possible to actually block the transfer to the portable device
or is it just monitoring the content being transferred?

thanks

On Fri, Jan 20, 2017 at 3:42 PM, wrote:

> MTP device drivers are UMDF drivers with COM objects used as interface for
> Explorer. The filtering is achievable in user mode. I worked with the team
> that implemented filtering and content analysis in user mode. Some hooking
> functionality were employed to achieve this.
>
> Filtering in kernel mode requires protocol parsing and implementing
> intermediate buffering for content analysis. I would not recommend to
> follow this path.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

No, it is not documented as any hooking technique.