天道酬勤,学无止境

minifilter

如何取消微过滤器驱动程序中的重命名操作(How to cancel a rename operation in minifilter driver)

问题 我想取消我的微过滤器中的重命名操作。 我已经编写了检测文件何时被重命名的代码,但我不清楚如何实际取消操作。 谁能帮我解决这个问题? 这是我检测文件重命名的回调例程。 FLT_PREOP_CALLBACK_STATUS PreSetInformation( _Inout_ PFLT_CALLBACK_DATA Cbd, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) { if (Cbd->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation) { WCHAR buf[MAX_PATH] = { 0 }; PFILE_RENAME_INFORMATION renameInfo = Cbd->Iopb->Parameters.SetFileInformation.InfoBuffer; memcpy(buf, renameInfo->FileName, renameInfo->FileNameLength); DbgPrint("renameInfo %ws\n", buf); if (anCondition(buf)) { //

2021-06-25 17:49:05    分类:技术分享    c   driver   minifilter

Minifilter driver not blocking file edition

I am trying to create a File System Filter (Minifilter) driver. For that I am following the tutorial provided here: https://www.youtube.com/watch?v=ukUf3kSSTOU In a brief way, in the tutorial you create a minifilter driver that stops you from writing into a file called OPENME.txt. This is the code I have: #include <fltKernel.h> #include <dontuse.h> #include <suppress.h> PFLT_FILTER FilterHandle = NULL; NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags); FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec, FLT_POST

2021-06-12 22:08:32    分类:问答    c++   minifilter

minifilter vs. API Hooking for file system operations monitoring \ filtering

I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options?

2021-06-12 06:30:24    分类:问答    winapi   driver   api-hook   minifilter

在内核调试模式下连接到目标机器时我无法中断(I can't break when attaching to target machine in kernel debug mode)

问题 我正在开始一个包括 Windows 微过滤器的原型。 我已经设置了我的环境: 目标虚拟机(实际上是 3 个:Windows 7、8 和 8.1) 主机开发机器(托管 Visual Studio 2013 和 HyperV VM) 我终于设法将测试微过滤器部署到目标机器上,但我的问题是: 我无法破坏目标机器中的内核。 当我进行构建并从 Visual Studio Debugger 启动时,结果如下: ----------------------------------------------------------------------- ----------------------------------------------------------------------- Starting New Debugger Session ----------------------------------------------------------------------- ----------------------------------------------------------------------- Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64 Copyright (c)

2021-06-11 03:55:29    分类:技术分享    windows   debugging   kernel   minifilter

I can't break when attaching to target machine in kernel debug mode

I am starting a prototype including a Windows minifilter. I have set up my environment: a target Virtual Machine (actually 3: a Windows 7, 8 and 8.1) a host development machine (which hosts Visual Studio 2013 and HyperV VMs) I finally managed to deploy the test minifilter to the target machine, but my problem is: I can not break the kernel in the target machine. When I make a build and start from Visual Studio Debugger, here is the result: ----------------------------------------------------------------------- ----------------------------------------------------------------------- Starting New

2021-05-31 21:02:28    分类:问答    windows   debugging   kernel   minifilter

使用WDK 8.0编译的FileSystem MiniFilter驱动程序未显示DbgPrint输出(DbgView / Win7 32位)(FileSystem MiniFilter Driver compiled with WDK 8.0 not showing DbgPrint output (DbgView/Win7 32 bit))

问题 我使用适用于Windows 7 32位的WDK 7.0构建实用程序编写和编译了minifilter驱动程序。 然后,我使用OSR的驱动程序加载器实用程序将其安装在VMWare上运行的Windows 7(32位)计算机上。 当我运行DbgView时,我可以准确地看到DbgPrint输出。 然后,我使用用于Windows 7(32位)的Microsoft Visual Studio Pro 2012中集成的WDK 8.0编译了相同的驱动程序。 结果创建了3个文件,分别是sys,cat和inf文件。 通过右键单击inf文件并选择“安装”,我将驱动程序安装在VMWare上运行的Windows 7(32位)计算机上。 然后我从开始的命令提示符处启动了服务。 但是,即使它是相同的代码/驱动程序,我也无法从使用WDK 8.0 / VS2012 Pro编译的驱动程序中看到DbgView中的DbgPrint输出。 这是实际执行打印的代码(IRP_MJ_CREATE的后期操作回调函数): FLT_POSTOP_CALLBACK_STATUS CreateFilePostOpCallback(__in PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, _

2021-05-18 00:50:30    分类:技术分享    debugging   driver   wdk   debugview   minifilter

How to cancel a rename operation in minifilter driver

I would like to cancel a rename operation in my minifilter. I've written the code that detects when a file is being rename, but I'm unclear on how to actually cancel the operation. Can anyone help me out with this? Here is my callback routine that detects for file rename. FLT_PREOP_CALLBACK_STATUS PreSetInformation( _Inout_ PFLT_CALLBACK_DATA Cbd, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) { if (Cbd->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation) { WCHAR buf[MAX_PATH] = { 0 }; PFILE_RENAME_INFORMATION

2021-05-06 17:12:29    分类:问答    c   driver   minifilter

FileSystem MiniFilter Driver compiled with WDK 8.0 not showing DbgPrint output (DbgView/Win7 32 bit)

I wrote and compiled a minifilter driver using WDK 7.0 build utility for Windows 7 32 bit. Then i installed it on a Windows 7 (32 bit) machine running on VMWare using OSR's driver loader utility. When i ran DbgView, i could see the DbgPrint output accurately. Then i compiled that very same driver using WDK 8.0 integrated in Microsoft Visual Studio Pro 2012 for Windows 7 (32 bit). That created 3 files as a result, a sys, cat and inf file. I installed the Driver on a Windows 7(32 bit) machine running on VMWare, by right clicking the inf file and selecting 'install'. Then i started the service

2021-05-03 05:18:01    分类:问答    debugging   driver   wdk   debugview   minifilter