Intercept subdirectory creation in the minifilter driver
in [Device Drivers]
|
Prev: Does StorPortGetSystemAddress really works on Win7 x64 with 4GB Ra
Next: How to Enable debug print in SCSI miniport driver
From: Eugene on 5 Jul 2010 08:38 Hi, All Is there any way to intercept subdirectory creation in the minifilter driver preoperation (or postoperation) callback routine? I track all calls with MajorFunction == IRP_MJ_WRITE but when subdirectory is created, DesiredAccess (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess) value is set to 0x100001 (FILE_READ_DATA/FILE_LIST_DIRECTORY | SYNCHRONIZE) and any write access is not specified. Thanks, Eugene.
From: Don Burn on 5 Jul 2010 08:44 Directories are created with IRP_MJ_CREATE so I am not sure why you are looking at write calls. If you are not aware file system questions are best answered on the NTFSD forum hosted at http://www.osronline.com/ That is the list where all the file system people (including a number from Microsoft) hang out. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr > -----Original Message----- > From: Eugene [mailto:Eugene(a)discussions.microsoft.com] > Posted At: Monday, July 05, 2010 8:38 AM > Posted To: microsoft.public.development.device.drivers > Conversation: Intercept subdirectory creation in the minifilter driver > Subject: Intercept subdirectory creation in the minifilter driver > > Hi, All > Is there any way to intercept subdirectory creation in the minifilter > driver > preoperation (or postoperation) callback routine? I track all calls with > MajorFunction == IRP_MJ_WRITE but when subdirectory is created, > DesiredAccess > (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess) value is > set to > 0x100001 (FILE_READ_DATA/FILE_LIST_DIRECTORY | SYNCHRONIZE) and any > write > access is not specified. > > Thanks, Eugene. > > > __________ Information from ESET Smart Security, version of virus > signature > database 5251 (20100704) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com >
From: Eugene on 5 Jul 2010 10:43 Thanks, Don, Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE. "Don Burn" wrote: > Directories are created with IRP_MJ_CREATE so I am not sure why you are > looking at write calls. If you are not aware file system questions are > best answered on the NTFSD forum hosted at http://www.osronline.com/ That > is the list where all the file system people (including a number from > Microsoft) hang out. > > > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr >
From: Scott Noone on 6 Jul 2010 10:57 You need to inspect the create disposition, not the desired access. Search for disposition here: http://msdn.microsoft.com/en-us/library/ff548630(VS.85).aspx And follow the link to see the available options. You can see the FASTFAT source for an example of extracting the disposition from the create options. (Also, Don's advice of going to NTFSD is good) -scott -- Scott Noone Consulting Associate OSR Open Systems Resources, Inc. http://www.osronline.com "Eugene" <Eugene(a)discussions.microsoft.com> wrote in message news:B73FE3C3-B3CE-4BAC-9A87-111F38E556D2(a)microsoft.com... > Thanks, Don, > Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE. > > "Don Burn" wrote: > >> Directories are created with IRP_MJ_CREATE so I am not sure why you are >> looking at write calls. If you are not aware file system questions are >> best answered on the NTFSD forum hosted at http://www.osronline.com/ >> That >> is the list where all the file system people (including a number from >> Microsoft) hang out. >> >> >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> > >
From: Eugene on 6 Jul 2010 12:17
Thank you very much, Done! All works fine. Eugene "Scott Noone" wrote: > You need to inspect the create disposition, not the desired access. Search > for disposition here: > > http://msdn.microsoft.com/en-us/library/ff548630(VS.85).aspx > > And follow the link to see the available options. > > You can see the FASTFAT source for an example of extracting the disposition > from the create options. > > (Also, Don's advice of going to NTFSD is good) > > -scott > > -- > Scott Noone > Consulting Associate > OSR Open Systems Resources, Inc. > http://www.osronline.com |