1

Topic: FS Minifilter. How to make count of a hash of a file

Namely not that file with which work - and that executed which works. Its checksum at present. Invented such decision: - in  the filter the information (including a way to it exe) is not added at once in global queue of record in a broad gull, and there is a new flow and it is transferred in it - this flow tries to open a file and to count MD5, the result adds in global queue - a flow , as well as now, everyone N time checks, whether queue if it is full is empty - creates a file of a broad gull and writes it all But there are questions: - about opening of files, the chance will be how much great, what it can open an EXE file which, most likely, is now fulfilled? - Whether it can open it so that  not to damage to it it (if that reads itself(himself) - SFX, for example)? - Whether there is all the same no more ready method to receive though any hash of an EXE file? Which not only lies on a disk as a file, but also boots as process. - How it is better to arrange all it? Now each record of a broad gull is dated by interception time, the broad gull file name is dated by outswapping time in a flow . We look a broad gull "12:00", we see in it events between the previous broad gull and 12:00. And with it MD5 we receive the broken order everywhere... If it is short, a question: it is better to driver to hammer on it absolutely (let the utility for reading of dens arranges) or to try to result all the same in a normal type?

2

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: S> Namely not that file with which work - and that executed which works. Its checksum at present. S> invented such decision: S> - in  the filter the information (including a way to it exe) is not added at once in global queue of record in a broad gull, and there is a new flow and it is transferred in it S> - this flow tries to open a file and to count MD5, the result adds in global queue S> - a flow , as well as now, everyone N time checks, whether queue if it is full is empty - creates a file of a broad gull and writes it all S> But there are questions: S> - about opening of files, the chance will be how much great, what it can open an EXE file which, most likely, is now fulfilled? In itself execution in any way does not lock divided access on reading. But as it is not planned to save integrity of an EXE file, it (EXE file) can be renamed or (if process has time to die) is changed-is removed. S> - whether it can open it so that  not to damage to it it (if that reads itself(himself) - SFX, for example)? File reading does not clash with its execution. Side-effects can be, for example: process was destroyed, an EXE file try to delete, but thus there is calculation MD5. Or the file for calculation is opened so that removal will be impossible, or removal will be successful, but to create a file with the same name it will be atop impossible before the termination of calculation MD5. S> - whether there is all the same no more ready method to receive though any hash of an EXE file? Which not only lies on a disk as a file, but also boots as process. In PE title is CheckSum (_IMAGE_OPTIONAL_HEADER), but for EXE files of processes the field can be incorrect and-or empty. S> - as it is better to arrange all it? <. .> it is better to carry out everything that is possible from the driver in user mode, for example, in Win32-service or simply utility. That is to delegate not to a separate thread, and to carry away all handling in the user mode process (IOCTL/messages mini-filrov/razdeljaemaja storage through sections and events).

3

Re: FS Minifilter. How to make count of a hash of a file

Hello, EreTIk, you wrote: ETI> In PE title is CheckSum (_IMAGE_OPTIONAL_HEADER), but for EXE files of processes the field can be incorrect and-or empty. About, whether and it is impossible to derive it from triggered process? Someone from  can also it will specially spoil. But 70-98 % will not be. ETI> it is better to carry out everything that is possible from the driver in user mode, for example, in Win32-service or simply utility. That is to delegate not to a separate thread, and to carry away all handling in the user mode process (IOCTL/messages mini-filrov/razdeljaemaja storage through sections and events). The link likely good, but in this case the customer for a monolith.

4

Re: FS Minifilter. How to make count of a hash of a file

ETI>> In PE title is CheckSum (_IMAGE_OPTIONAL_HEADER), but for EXE files of processes the field can be incorrect and-or empty. S> about, whether and it is impossible to derive it from triggered process? The PE-heading is projected as an EXE file part, it is necessary to disassemble only it (concerning MZ-heading). PsGetProcessSectionBaseAddress it is not documented MSDN', but it is exported by a kernel and gives the MZ-heading address. S> Someone from  can also it will specially spoil. But 70-98 % will not be. Unfortunately, at all all  put down this field by default. The requirement to this field correctness is, for example, at sys-files of drivers, and at process EXE files - is not present. In IMAGE_FILE_HEADER there is field TimeDateStamp, is filled more often.

5

Re: FS Minifilter. How to make count of a hash of a file

Hello, EreTIk, you wrote: ETI>>> In PE title is CheckSum (_IMAGE_OPTIONAL_HEADER), but for EXE files of processes the field can be incorrect and-or empty. S>> about, whether and it is impossible to derive it from triggered process? ETI> the PE-heading is projected as an EXE file part, it is necessary to disassemble only it (concerning MZ-heading). PsGetProcessSectionBaseAddress it is not documented MSDN', but it is exported by a kernel and gives the MZ-heading address. S>> Someone from  can also it will specially spoil. But 70-98 % will not be. ETI> unfortunately, at all all  put down this field by default. The requirement to this field correctness is, for example, at sys-files of drivers, and at process EXE files - is not present. ETI> In IMAGE_FILE_HEADER there is field TimeDateStamp, is filled more often. And here whether it is impossible to derive any hash from the sign-code signature (if that is available)? Or simply to check up its correctness. In kernel-mode.

6

Re: FS Minifilter. How to make count of a hash of a file

S> And here whether it is impossible to derive any hash from the sign-code signature (if that is available)? Or simply to check up its correctness. In kernel-mode. The documentary method is not present. But on Vista and more modern OS for kernel mode is ci.dll which uses a kernel and the driver for check of a correctness of the sign-code signature.

7

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: S> - this flow tries to open a file and to count MD5, the result adds in global queue it is not necessary md5. That Mahlo that it any more , in intermediate term perspective it at all the fastest. For count SHA in more or less modern processors is special , and for MD5 is not present and will not be.

8

Re: FS Minifilter. How to make count of a hash of a file

Hello, Pzz, you wrote: Pzz> Hello, sergey77666, you wrote: S>> - this flow tries to open a file and to count MD5, the result adds in global queue Pzz> it is not necessary md5. That Mahlo that it any more , in intermediate term perspective it at all the fastest. For count SHA in more or less modern processors is special , and for MD5 is not present and will not be. And CRC?

9

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: Pzz>> it is not necessary md5. That Mahlo that it any more , in intermediate term perspective it at all the fastest. For count SHA in more or less modern processors is special , and for MD5 is not present and will not be. S> and CRC? What CRC?

10

Re: FS Minifilter. How to make count of a hash of a file

Hello, Pzz, you wrote: Pzz> Hello, sergey77666, you wrote: Pzz>>> it is not necessary md5. That Mahlo that it any more , in intermediate term perspective it at all the fastest. For count SHA in more or less modern processors is special , and for MD5 is not present and will not be. S>> and CRC? Pzz> That CRC? To apply it here instead of md5.

11

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: Pzz>> That CRC? S> to Apply it here instead of md5. Well it  never. Probability of coincidence crc at two it is casual  files aloud it is not equal to zero, and to forge it it costs nothing.

12

Re: FS Minifilter. How to make count of a hash of a file

Hello, Pzz, you wrote: Pzz> Hello, sergey77666, you wrote: Pzz>>> That CRC? S>> to Apply it here instead of md5. Pzz> Well it  never. Pardon! Esteem other subjects. This minifilter not  MMF,  reversal to files begun with 0 , and you about any  "security guard" are baked. I about speed asked!

13

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: S> I about speed asked! Speed should be quite good. At , besides, is  that CRC32 quickly to consider. But not the fact what exactly your implementation them uses.

14

Re: FS Minifilter. How to make count of a hash of a file

Hello, sergey77666, you wrote: Pzz>> That CRC? S> to Apply it here instead of md5. It even worse also steals up .

15

Re: FS Minifilter. How to make count of a hash of a file

Hello, Glory, you wrote: Hello, sergey77666, you wrote: Pzz>>> That CRC? S>> to Apply it here instead of md5.> It even worse also steals up . I do not think that when pirates infect the installer they sit and select bytes, that CRC coincided with original before to lay out a file on  or the site.