Re: I'm new... so where do I start with Filesystem Filter Drivers?
- From: "Maxim S. Shatskih" <maxim@xxxxxxxxxxxxxxxx>
- Date: Sat, 21 Jan 2006 19:31:49 +0300
There are no documented means of solving this task. You can get a
notification about EXE/DLL load even without the FS filter, by
PsSetLoadImageNotifyRoutine.
But there are no documented means of aborting the process if the image is
"bad".
The EXECUTE bit in DesiredAccess for CreateFile is mis-used by MS's own UI
stuff (shell32 and such) - a lot, so you cannot treat EXECUTE bit as the
indicator of "executing" the EXE file. I think that even the shell's open to
read VersionInfo will have EXECUTE bit on.
Also, the FS filter gets no callbacks on image section creation, except the
lock acquisition calls which are also used for lots of other purposes.
So, looks like FS filter will not help a lot with this.
I remember people hooking the NtCreateSection syscall to solve this task.
Hooking is bad, but there are no better means of solving it.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@xxxxxxxxxxxxxxxx
http://www.storagecraft.com
"Arkane" <Arkane@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C621A391-88A3-4FE6-959C-9F8614BEE7EA@xxxxxxxxxxxxxxxx
> I'm new to this level of development, I know what I want to do and I know how
> I want it to work.
> What I don't currently know is how to accomplish my task.
>
> I'd like to write a Filesystem Filter Driver that intercepts any program
> execution on hard disks/USB/CD-Rom. I'd like it to be able to tell me which
> program was executed, when and by whom - then to pass this information to
> another program (which is defined via a registry key) via variables. At which
> point the other program would handle everything else.
>
> I know that trying to intercept hard disk/USB/CD-Rom will give me an
> immediate problem as a filesystem filter driver monitors a specific device
> and I'd need to write something that catches it from all of my devices.
>
> Something out there that does this (in part) already is TrustNoExe but I
> want something similar without the GUI and to allow an external program to
> make the final choice whether a program is run or simply denied from running.
>
> I'm totally new to this, I have the Windows XP DDK, VC++ 6.
> I have already written something that hijacks a few registry keys in HKLM so
> that any executable that's run (exe/com/bat files) are passed to my program -
> this works great but this doesn't cater for other filetypes such as .scr
> files or anything that can be classed as 'executable' by the OS.
> My target platforms are Windows 2000 SP4 and Windows XP SP1a/SP2.
>
> So I guess my question is, where do I start? I have looked for any HOWTO
> guides or basic guides on developing a filesystem filter driver but I've not
> found a great deal that can help me.
.
- Prev by Date: Re: NDIS PassThru PtReceivePacket
- Next by Date: Re: How to Access CIS information in PCMCIA CF Card
- Previous by thread: Re: I'm new... so where do I start with Filesystem Filter Drivers?
- Next by thread: Reading to I/O Ports (ReadFile)
- Index(es):
Relevant Pages
|
