I want to use the mini filter driver IRP_MJ_CREATE only for opening existing files(exe files).
-
Hi. Please help me. First of all, I hope you understand that the sentence structure can be strange as I ask questions using a translator machine. I am developing a mini filter driver that prohibits reading from drivers other than the local disk drive. However, IRP_MJ_CREATE does so much. For example, it is also used to create volume drives the moment I open Explorer. I don't want IRP_MJ_CREATE to be used when volume drives are created the moment I open Explorer. Currently, I have registered IRP_MJ_CREATE in preOperation. In the preOperation function, if it is not a local disk drive, Data->IoStatus.Status = STATUS_NO_SUCH_PRIVILEGE; Data->IoStatus.Information = 0; It has been coded to make this work work. Then, the moment I turned on Explorer, even the volume drives other than the local disk drive became inaccessible. The first thing I want is that when Explorer opens, the volume drive will show up as accessible just like a local drive. Second, I want files to be prevented from being read (prohibited to execute) when entering the volume drive. I think the words are simple, but I think you need advanced technology. Still, I would be grateful for any help. Thank you.
-
Hi. Please help me. First of all, I hope you understand that the sentence structure can be strange as I ask questions using a translator machine. I am developing a mini filter driver that prohibits reading from drivers other than the local disk drive. However, IRP_MJ_CREATE does so much. For example, it is also used to create volume drives the moment I open Explorer. I don't want IRP_MJ_CREATE to be used when volume drives are created the moment I open Explorer. Currently, I have registered IRP_MJ_CREATE in preOperation. In the preOperation function, if it is not a local disk drive, Data->IoStatus.Status = STATUS_NO_SUCH_PRIVILEGE; Data->IoStatus.Information = 0; It has been coded to make this work work. Then, the moment I turned on Explorer, even the volume drives other than the local disk drive became inaccessible. The first thing I want is that when Explorer opens, the volume drive will show up as accessible just like a local drive. Second, I want files to be prevented from being read (prohibited to execute) when entering the volume drive. I think the words are simple, but I think you need advanced technology. Still, I would be grateful for any help. Thank you.
Hi, I have not worked with mini filter drivers for about six years. But here are some things I think may help: 1.) In your PFLT_PRE_OPERATION_CALLBACK[^] callback you should probably allow anything originating from kernelmode to pass through. You can do this with ExGetPreviousMode[^] which will return
KernelModefor file operations originating from the Windows kernel. 2.) After you have allowed kernelmode file operations to pass unmolested you can get the process ID of the usermode process performing the i/o with PsGetCurrentProcessId[^] and filter out whatever you want to pass through. I don't normally send anyone away from codeproject.com but since I know that at least half of the Devices and Drivers team are active on the site I will defer you over to the NTFSD forum over at community.osr.com[^] where they are working with minifilters on a daily basis. Best Wishes, -David Delaune -
Hi, I have not worked with mini filter drivers for about six years. But here are some things I think may help: 1.) In your PFLT_PRE_OPERATION_CALLBACK[^] callback you should probably allow anything originating from kernelmode to pass through. You can do this with ExGetPreviousMode[^] which will return
KernelModefor file operations originating from the Windows kernel. 2.) After you have allowed kernelmode file operations to pass unmolested you can get the process ID of the usermode process performing the i/o with PsGetCurrentProcessId[^] and filter out whatever you want to pass through. I don't normally send anyone away from codeproject.com but since I know that at least half of the Devices and Drivers team are active on the site I will defer you over to the NTFSD forum over at community.osr.com[^] where they are working with minifilters on a daily basis. Best Wishes, -David DelauneOh, thank you so much for the answer. There is still a lot to learn about the mini filter, so it is difficult to say it, but I will find it and try it. And thank you for telling me a good site. Thanks a lot.
-
Oh, thank you so much for the answer. There is still a lot to learn about the mini filter, so it is difficult to say it, but I will find it and try it. And thank you for telling me a good site. Thanks a lot.
Hi, I see that you have posted an entirely different question on the OSR website. You are now asking how to filter out directories. You can use the FltIsDirectory function[^] to check if the file object is a directory. Best Wishes, -David Delaune
-
Hi, I see that you have posted an entirely different question on the OSR website. You are now asking how to filter out directories. You can use the FltIsDirectory function[^] to check if the file object is a directory. Best Wishes, -David Delaune
Thank you for answer. It takes some time to write the answer using a translation machine lol. The article I wrote is correct. I thought the text I wrote here was a bit ambiguous, so I made some corrections to write it. Ultimately, What I have to do control what files(directories) are read (run) and written(modified, deleted) in usb drive, cd-rom drive, portable drive etc except for local drive(e.g. C drive D drive). However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this. I think the question I posted here must have been a little bit more stranger than that on the osr website. First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point. There are many things that create something in the samples provided by Microsoft, but nothing prevents it. Is there anything you can do to help? I am waiting for your answer.
-
Thank you for answer. It takes some time to write the answer using a translation machine lol. The article I wrote is correct. I thought the text I wrote here was a bit ambiguous, so I made some corrections to write it. Ultimately, What I have to do control what files(directories) are read (run) and written(modified, deleted) in usb drive, cd-rom drive, portable drive etc except for local drive(e.g. C drive D drive). However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this. I think the question I posted here must have been a little bit more stranger than that on the osr website. First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point. There are many things that create something in the samples provided by Microsoft, but nothing prevents it. Is there anything you can do to help? I am waiting for your answer.
Member 14872681 wrote:
Is there anything you can do to help? I am waiting for your answer.
If you ask a very specific question (narrow in scope) you will probably get an answer.
Member 14872681 wrote:
First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point.
Most of the minifilter samples are located here: File system driver samples[^] There are probably over a dozen more minifilter samples in older versions of the Windows DDK if you have them. Unfortunately I don't think they are being distributed anymore. The code samples are a good place to start. Best Wishes, -David Delaune
-
Member 14872681 wrote:
Is there anything you can do to help? I am waiting for your answer.
If you ask a very specific question (narrow in scope) you will probably get an answer.
Member 14872681 wrote:
First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point.
Most of the minifilter samples are located here: File system driver samples[^] There are probably over a dozen more minifilter samples in older versions of the Windows DDK if you have them. Unfortunately I don't think they are being distributed anymore. The code samples are a good place to start. Best Wishes, -David Delaune
Hi Okay, I'm understand your reply. Let's start with a sample. I think I'm going to post a question while working on it, but if you see my article and have something helpful, please answer me. Thank you.
-
Thank you for answer. It takes some time to write the answer using a translation machine lol. The article I wrote is correct. I thought the text I wrote here was a bit ambiguous, so I made some corrections to write it. Ultimately, What I have to do control what files(directories) are read (run) and written(modified, deleted) in usb drive, cd-rom drive, portable drive etc except for local drive(e.g. C drive D drive). However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this. I think the question I posted here must have been a little bit more stranger than that on the osr website. First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point. There are many things that create something in the samples provided by Microsoft, but nothing prevents it. Is there anything you can do to help? I am waiting for your answer.
Member 14872681 wrote:
However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this.
That is a good approach. The more you put into a single question, the more time it takes for everyone to read, and the less likely it is you will get a useful answer. However, it wouldn't hurt to mention that you are working on a larger problem and point to the related posts you made, so anyone willing to help can get a better look at the whole picture. Also, I like how you approach the translation. You keep sentences short and concise, that makes it harder for the translation engine to mess up the meaning. :thumbsup: (Sorry, I can't help with your problem. But I still felt that it's worth congratulating you on doing a good job asking questions - that is a rare skill nowadays!)
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)