1

Topic: File System Minifilter. How to receive though what a file

Optionally "global", any goes unique , at IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_CLEANUP (file closing). It is just necessary to distinguish an open file from others, and to do it by name unreliably.

2

Re: File System Minifilter. How to receive though what a file

Hello, sergey77666, you wrote: S> optionally "global", any goes unique , at IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_CLEANUP (file closing). S> It is just necessary to distinguish an open file from others, and to do it by name unreliably. FLT_RELATED_OBJECTS:: FileObject forms at creation/opening and does not change to cleanup'. Actually, to FILE_OBJECT' also it is anchored given in user mode a descriptor (HANDLE).

3

Re: File System Minifilter. How to receive though what a file

Hello, EreTIk, you wrote: ETI> Hello, sergey77666, you wrote: S>> optionally "global", any goes unique , at IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_CLEANUP (file closing). S>> It is just necessary to distinguish an open file from others, and to do it by name unreliably. ETI> FLT_RELATED_OBJECTS:: FileObject forms at creation/opening and does not change to cleanup'. Actually, to FILE_OBJECT' also it is anchored given in user mode a descriptor (HANDLE). Him to use as , whether that? Would make better a field in it, and that bosh any... The Sediment these filters,   were better. Is better to  would add ready algorithms of their filtering.

4

Re: File System Minifilter. How to receive though what a file

S> Him to use as , whether that? Yes, the object address will be unique from IRP_MJ_CREATE to IRP_MJ_CLOSE.

5

Re: File System Minifilter. How to receive though what a file

Hello, sergey77666, you wrote: S> optionally "global", any goes unique , at IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_CLEANUP (file closing). S> It is just necessary to distinguish an open file from others, and to do it by name unreliably. Analog  in minifilters are FILE_OBJECT. Two different FILE_OBJECT will be result of two different operations Nt/ZwCreateFile. Also I recommend to glance here: Managing Contexts in a Minifilter Driver https://docs.microsoft.com/en-us/window … ter-driver If it is short: contexts allow to connect the arbitrary information block to any object, i.e. with FILE_OBJECT, with a flow, with a file, volume (volume),  the minifilter (instance) etc. For example, using stream context, it is possible to learn, when two different FILE_OBJECT specify in the same file (to be exact speaking, on the same file flow). S> the Sediment these filters,   were better. Well we begin that  years ten as (with x64 Windows Vista) simply bluntly are not functional because of Patch Guard.

6

Re: File System Minifilter. How to receive though what a file

Hello, EreTIk, you wrote: ETI> FLT_RELATED_OBJECTS:: FileObject forms at creation/opening and does not change to cleanup'. More precisely, to IRP_MJ_CLOSE. After cleanup  it is closed, but the file object still exists and on it various operations (normally paging i/o) can be fulfilled.

7

Re: File System Minifilter. How to receive though what a file

Hello, okman, you wrote: O> Hello, EreTIk, you wrote: ETI>> FLT_RELATED_OBJECTS:: FileObject forms at creation/opening and does not change to cleanup'. O> More precisely, to IRP_MJ_CLOSE. O> After cleanup  it is closed, but the file object still exists and on it various operations (normally paging i/o) can O> be fulfilled. And it at cleanup is necessary to me, as judging by MSDN, it more precisely (instead of close) corresponds to the task "to trace all closings of files in a user-fashion". And this "" in the form of FILE_OBJECT there too will be necessary to connect closings to record and reading.

8

Re: File System Minifilter. How to receive though what a file

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> optionally "global", any goes unique , at IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_CLEANUP (file closing). S>> It is just necessary to distinguish an open file from others, and to do it by name unreliably. O> analog  in minifilters are FILE_OBJECT. O> two different FILE_OBJECT will be Result of two different operations Nt/ZwCreateFile. And it is sad. O> also I recommend to glance here: I do not see sense now it to be engaged. I simply do the chained list with a key on  in which the information at first registers at each reading \record about each file separately, then at closing of this file is derived therefrom and transferred on . O> Well we begin that  years ten as (with x64 Windows Vista) simply bluntly are not functional because of Patch Guard. So therefore I write "were", instead of "is". Though on  with Windows 10 x64 all worked. Here that source code: https://github.com/mrexodia/TitanHide it is possible, someone becomes interested. Probably, someone comments.

9

Re: File System Minifilter. How to receive though what a file

Hello, sergey77666, you wrote: O>> Also I recommend to glance here: S> I do not see sense now it to be engaged. S> I simply do the chained list with a key on  in which the information at first registers at each reading \record about each file separately, then at closing of this file is derived therefrom and transferred on . Purely for help: instead of the list, for example, the AVL-tree here is more effective. See RtlInitializeGenericTableAvl and further under links. O>> well we begin that  years ten as (with x64 Windows Vista) simply bluntly are not functional because of Patch Guard. S> Though on  with Windows 10 x64 all worked. It is clear that in the virtual machine with the connected kernel debugger or with the cut down checks of sign-code signatures all works, since PatchGuard in such scenarios is not active. But on real system where there are no debuggers and test signing mode, because of  will take off BSOD CRITICAL_STRUCTURE_CORRUPTION time some minutes. And on Windows 10 with included Device Guard / HVCI  kernels will not manage to be delivered at all (because of restrictions on usage of executed storage in a kernel). So this technics is dead for a long time and to use it it is possible only for any very much  things.

10

Re: File System Minifilter. How to receive though what a file

Hello, okman, you wrote: O> it is pure for help: instead of the list, for example, the AVL-tree here is more effective. O> see RtlInitializeGenericTableAvl and further under links. Yes where to me rested this  ? Though and I yet do not do a high-grade class which would be  for different tasks of the list and had all necessary functions - but I can make then it from this a source code. (Till now it at me is not present only because rarely I write on a C/C ++. And in C#, Java it is accessible from a box.)

11

Re: File System Minifilter. How to receive though what a file

Hello, sergey77666, you wrote: S> Hello, okman, you wrote: O>> it is pure for help: instead of the list, for example, the AVL-tree here is more effective. O>> see RtlInitializeGenericTableAvl and further under links. S> yes where to me rested this  ? And at what here generally ? Search in the list is fulfilled for the linear time, and in a tree - for logarithmic. If it is very rough, in the first case search in the list from 1000 elements will be fulfilled on the average for 500 operations of comparing, and in the second - for 5.

12

Re: File System Minifilter. How to receive though what a file

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> Hello, okman, you wrote: O>>> it is pure for help: instead of the list, for example, the AVL-tree here is more effective. O>>> see RtlInitializeGenericTableAvl and further under links. S>> yes where to me rested this  ? O> And at what here generally ? O> search in the list is fulfilled for the linear time, and in a tree - for logarithmic. O> if it is very rough, in the first case search in the list from 1000 elements in O> an average will be fulfilled for 500 operations of comparing, and in the second - for 5. With a view of a utility on the future. The samopisnyj list on a C/C ++ (as well as  a tree) wrote for time -  on the sly - and  though in the rocket controler to Mars, and here to waste time on mastering next highly specialized API... Especially without making progress in the core: http://rsdn.org/forum/asm/7024337.flat the Author: sergey77666 Date: 19.01 09:51:D

13

Re: File System Minifilter. How to receive though what a file

Hello, sergey77666, you wrote: O>>>> it is pure for help: instead of the list, for example, the AVL-tree here is more effective. O>>>> see RtlInitializeGenericTableAvl and further under links. S>>> yes where to me rested this  ? O>> And at what here generally ? O>> search in the list is fulfilled for the linear time, and in a tree - for logarithmic. O>> if it is very rough, in the first case search in the list from 1000 elements in O>> an average will be fulfilled for 500 operations of comparing, and in the second - for 5. S> With a view of a utility on the future. The samopisnyj list on a C/C ++ (as well as  a tree) wrote for time -  on the sly - and  though in the rocket controler to Mars With your approaches to development and  swoops the rocket in which controler will use yours  lists and trees, simply does not fly up. To Mars it is possible not to speak about flight at all.

14

Re: File System Minifilter. How to receive though what a file

Hello, Nikita123, you wrote: N> Hello, sergey77666, you wrote: O>>>>> it is pure for help: instead of the list, for example, the AVL-tree here is more effective. O>>>>> see RtlInitializeGenericTableAvl and further under links. S>>>> yes where to me rested this  ? O>>> And at what here generally ? O>>> search in the list is fulfilled for the linear time, and in a tree - for logarithmic. O>>> if it is very rough, in the first case search in the list from 1000 elements in O>>> an average will be fulfilled for 500 operations of comparing, and in the second - for 5. S>> With a view of a utility on the future. The samopisnyj list on a C/C ++ (as well as  a tree) wrote for time -  on the sly - and  though in the rocket controler to Mars N> With your approaches to development and  swoops the rocket in which controler will use yours  lists and trees, simply does not fly up. N> to Mars it is possible not to speak About flight at all. We look.  I will construct. Or the plane.