aravindtj
asked on
Writing FileSystem Filter Driver. How to Start?
Hi Experts,
I want to write a filter driver to intercept all the file IO requests.
I also need to identify the invoking application, type of request, the target file requested.
Using that, I want to block some applications to access some sensitive files.
Can you tell me, How to/ From where to start? I am using VC++ 6 & WIndows 2000.
I am also having DDK for Windows 2000. I am stuck at starting to write a simple device driver.
Is there any way to develope such type of drivers portable to all Win32 Platforms?
If providing any sample code along with documentation, it will help me more.
Thanks.
with regards,
aravind.t
I want to write a filter driver to intercept all the file IO requests.
I also need to identify the invoking application, type of request, the target file requested.
Using that, I want to block some applications to access some sensitive files.
Can you tell me, How to/ From where to start? I am using VC++ 6 & WIndows 2000.
I am also having DDK for Windows 2000. I am stuck at starting to write a simple device driver.
Is there any way to develope such type of drivers portable to all Win32 Platforms?
If providing any sample code along with documentation, it will help me more.
Thanks.
with regards,
aravind.t
To build a file system filter DRIVER you have to use the DDK.
A filter driver written for Windows 2000 will work on XP, but will not work on 95,98&ME.
Although you request sounds like a fairly trivial matter, in fact it is quite a complicated bit of code.
A filter driver written for Windows 2000 will work on XP, but will not work on 95,98&ME.
Although you request sounds like a fairly trivial matter, in fact it is quite a complicated bit of code.
ASKER
Hi Rhodgson,
Thanks for your reply.
I know that my requirement is complicated.
But, I am newbie to driver development.
So, I want to know about the Basic concepts in writing and testing Device drivers.
Like, the driver I supposed to develope will display all the file system call like open, read, write of files.
I know that the drivers are not compatible with Win NT and Win 9x systems. But, I refered KernalDriver tools website that they are providing drives compatible with all Windows platforms.
If you have any simple, sample code in c++ to write a elementary device driver for win2k,
it will help me a lot.
I refered some books like, DDK documentation, WindowsNT File System Internals, Programming the Microsoft Windows Driver Model by Walt Oney, The Windows 2000 Device Driver Book, A Guide for Programmers, Second Edition by Art Baker,Jerry Lozano etc.
But nowhere, I found how to start and from where to start?
Thanks in advance.
Thanks for your reply.
I know that my requirement is complicated.
But, I am newbie to driver development.
So, I want to know about the Basic concepts in writing and testing Device drivers.
Like, the driver I supposed to develope will display all the file system call like open, read, write of files.
I know that the drivers are not compatible with Win NT and Win 9x systems. But, I refered KernalDriver tools website that they are providing drives compatible with all Windows platforms.
If you have any simple, sample code in c++ to write a elementary device driver for win2k,
it will help me a lot.
I refered some books like, DDK documentation, WindowsNT File System Internals, Programming the Microsoft Windows Driver Model by Walt Oney, The Windows 2000 Device Driver Book, A Guide for Programmers, Second Edition by Art Baker,Jerry Lozano etc.
But nowhere, I found how to start and from where to start?
Thanks in advance.
The KernalDriver tools that provide functionality for both NT and 95 versions include both a SYS driver and a VXD driver which have to be developed seperately.
Device Drivers are actually harder to write in C++ without additional tools, because C++ relies on the C runtime libraries which are not available in device drivers. So you either have to build the C++ support functions, buy a library that does this, or stick with C for writing device drivers.
Template device drivers are available in the DDK samples folder, and Microsoft used to also provide an "IFS kit" to help you work with the filing system. I havn't built any device drivers in quite some time so I am not completely up to date on what source Microsoft provide and where you would find it at the moment.
http://www.sysinternals.com provide "filemon" which probably does everything you are interested in and quite a lot more. Again they used to provide source for this utility (I certainly have the source to v4.28), so perhaps that is available somewhere on the internet.
I would post example code in my reply, however device driver code is rather large, with the Microsoft sample filter driver shell stetching to over 3,000 lines of code (the file being called sfilter.c).
Device Drivers are actually harder to write in C++ without additional tools, because C++ relies on the C runtime libraries which are not available in device drivers. So you either have to build the C++ support functions, buy a library that does this, or stick with C for writing device drivers.
Template device drivers are available in the DDK samples folder, and Microsoft used to also provide an "IFS kit" to help you work with the filing system. I havn't built any device drivers in quite some time so I am not completely up to date on what source Microsoft provide and where you would find it at the moment.
http://www.sysinternals.com provide "filemon" which probably does everything you are interested in and quite a lot more. Again they used to provide source for this utility (I certainly have the source to v4.28), so perhaps that is available somewhere on the internet.
I would post example code in my reply, however device driver code is rather large, with the Microsoft sample filter driver shell stetching to over 3,000 lines of code (the file being called sfilter.c).
ASKER
Hi Rhodgson,
Thanks for your reply.
I can't get the source code for "filemon" the www.sysinternals.com site. Can you send me the source code? It will be helpful, if send the sample code to me.
I have one more doubt. How to test the driver after installing. ie, I installed a driver for monitoring file system calls. I a file is openned for writing, some notification like a message box must pop.
How to do this?
I am not having IFS now.And I have DDK.
Thanks in advance.
Thanks for your reply.
I can't get the source code for "filemon" the www.sysinternals.com site. Can you send me the source code? It will be helpful, if send the sample code to me.
I have one more doubt. How to test the driver after installing. ie, I installed a driver for monitoring file system calls. I a file is openned for writing, some notification like a message box must pop.
How to do this?
I am not having IFS now.And I have DDK.
Thanks in advance.
Unfortunately the license clearly states I cannot distribute the source files, so if you can't find it on the sysinternals website then I guess it is no longer publicly available. The IFS kit comes with a similiarly restrictive license.
To open a message box from a driver, you would normally run another process in user space, or the system account which checks the driver and then produces the message box when the driver returns a signal.
Like I said at in my first response to do what you are asking is far from a trivial piece of work.
To open a message box from a driver, you would normally run another process in user space, or the system account which checks the driver and then produces the message box when the driver returns a signal.
Like I said at in my first response to do what you are asking is far from a trivial piece of work.
ASKER
Thanks lot Mr Rhodgson.
I developed a driver. And How can send the driver debug messages [like using DbgPrint(..,..)] directly to system Event Log. So, I can view the driver events using the Eventviewer. I can write events in eventlog for my applications by ReportEvent method. But is not working in driver programming.
How to do this?
Thanks in advance.
ASKER
Hi Mr Rhodgson,
In the book "Windows NT Event Logging" by James D. Murray, http://www.oreilly.com/catalog/winlog/chapter/ch02.html I learn that I cann't access the Event Logging API for the Kernal mode programs like Drivers. It is foronly user applications.
I also says that we can only access that service through the I/O Manager.
How to do that?
ASKER
Hi,
I got the solution for my recent question.
The code is as follows:
VOID LogEvent(NTSTATUS code, PDEVICE_OBJECT fdo)
{
PWSTR myname = L"EventLog";
ULONG packetlen = (wcslen(myname) + 1) * sizeof(WCHAR) + sizeof(IO_ERROR_LOG_PACKET
if (packetlen > ERROR_LOG_MAXIMUM_SIZE)
return; // packet will be too big
PIO_ERROR_LOG_PACKET p = (PIO_ERROR_LOG_PACKET) IoAllocateErrorLogEntry(fd
if (!p)
return;
memset(p, 0, sizeof(IO_ERROR_LOG_PACKET
p->MajorFunctionCode = IRP_MJ_PNP;
p->ErrorCode = code;
p->DumpDataSize = 4;
p->DumpData[0] = 0x2A2A2A2A;
p->StringOffset = sizeof(IO_ERROR_LOG_PACKET
p->NumberOfStrings = 1;
wcscpy((PWSTR) ((PUCHAR) p + p->StringOffset), myname);
IoWriteErrorLogEntry(p);
}
Thanks for ideas.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://www.osronline.com/article.cfm?id=20
But, I dont want to use DDK.
How to do?