Comments by Wshwilfried

Wshwilfried 21-Apr-16 20:11pm View

Hello,
My end goal is to track modifications made on certain set of files that I monitor in a mini filter and track their respective sectors at disk level with another driver. I have started to implement it but I had some failure to track sectors of resident files this including file attributes etc that are embedded within the base file record. So I came to the conclusion that If I found a way to track the sectors representing those file's attributes that would satisfy me, thus the post.

Wshwilfried 13-Apr-16 20:28pm View

Thanks you very much. I clearly see it now.

Wshwilfried 8-Apr-16 3:57am View

Thank you for the prompt reply. I am going through the CMOS RAM addresses but dont find anything about encryption support could you please show me what I should look at?

Wshwilfried 8-Apr-16 0:58am View

Thank you very much it solved my problem, programming drivers is really an art.

Wshwilfried 22-Mar-16 23:58pm View

In my second call to ZwCreateFile I set the desired access to SYNCHRONIZE and it worked. Can anyone explain why? I thought since My goal is to simultaneously read the file I had to provide FILE_READ_DATA or GENERIC_READ.

Wshwilfried 6-Mar-16 21:50pm View

I think I found it, I just Set the byte offset to 0 when calling ZwWritefile and since the buffers are of the same size it always get updated.

Wshwilfried 6-Mar-16 21:10pm View

I just tried That but it is not giving what I want also it isn't much different from FILE_OVERWRITE_IF that I was using before posting my question. What I need is that when calling ZwWriteFile the file content get cleared before the new buffer get written to the corresponding file.

Wshwilfried 1-Mar-16 19:16pm View

Thank you, I'll try that.

Wshwilfried 22-Jul-15 5:09am View

I Will suggest you find the IRPs that get sent for the operation you desire to track. There are lots of tutorials here at code project and Google, start from there and once you have tried something i'm sure you get more help.

Wshwilfried 3-Jul-15 5:22am View

I did get this from msdn STATUS_OBJECT_NAME_NOT_FOUND (The filter service key is not found in the registry.-or-The filter instance is not registered).I then updated the inf file like this but still have the same error

;;;
;;; WegsFsFilter
;;;

[Version]
Signature = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
Class = "_TODO_Change_Class_appropriately_"
ClassGuid = {_TODO_Change_ClassGuid_appropriately_}
Provider = %ManufacturerName%
DriverVer = 07/01/2015,1.0.0.0
CatalogFile = WegsFsFilter.cat

[DestinationDirs]
DefaultDestDir = 12
WegsFsFilter.DriverFiles = 12 ;%windir%\system32\drivers

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc = %ServiceDescription%
CopyFiles = WegsFsFilter.DriverFiles

[DefaultInstall.Services]
AddService = %ServiceName%,,WegsFsFilter.Service

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles = WegsFsFilter.DriverFiles

[DefaultUninstall.Services]
DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting

;
; Services Section
;

[WegsFsFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
Dependencies = "FltMgr"
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
LoadOrderGroup = "FSFilter Activity Monitor"
LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
AddReg = WegsFsFilter.AddRegistry

;
; Registry Modifications
;

[WegsFsFilter.AddRegistry]
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
HKR,"Instances\"%Instance2.Name%,"Altitude",0x00000000,%Instance2.Altitude%
HKR,"Instances\"%Instance2.Name%,"Flags",0x00010001,%Instance2.Flags%
HKR,"Instances\"%Instance3.Name%,"Altitude",0x00000000,%Instance3.Altitude%
HKR,"Instances\"%Instance3.Name%,"Flags",0x00010001,%Instance3.Flags%

;
; Copy Files
;

[WegsFsFilter.DriverFiles]
%DriverName%.sys

[SourceDisksFiles]
WegsFsFilter.sys = 1,,

[SourceDisksNames]
1 = %DiskId1%,,,

;;
;; String Section
;;

[Strings]
; TODO - Add your manufacturer
ManufacturerName = "Wega Driver"
ServiceDescription = "WegsFsFilter Mini-Filter Driver"
ServiceName = "WegsFsFilter"
DriverName = "WegsFsFilter"
DiskId1 = "WegsFsFilter Device Installation Disk"

;Instances specific information.
;DefaultInstance = "WegsFsFilter - Top Instance"
;Instance1.Name = "WegsFsFilter Middle Instance"
; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
;Instance1.Altitude = "370030"
;Instance.Altitude = "_TODO_Change_Altitude_appropriately_"
;Instance1.Flags = 0x0 ; Allow all attachments

DefaultInstance = "WegsFsFilter - Top Instance"
Instance1.Name = "WegsFsFilter - Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments

Wshwilfried 27-May-15 2:05am View

Okay Thanks.

Wshwilfried 26-May-15 4:24am View

Deleted

...

Comments by Wshwilfried (Top 12 by date)