EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Monitoring a DIR for File IO

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#7129
Posted: 07/30/2008 06:10:30
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi,

I want to modify the sample (CBFilter project) to capture File IOs coming on some default DIR. For eg. if the default DIR is "C:\MyDir" then all File IOs like OpenFile, CreateFile, WriteFile, ChangeAttributes, etc. must be captured and written to a log file, say "C:\MyLog.txt"

What would I have to change to make the application work as explained above.

Any pointers for the solution will be appreciated.

Regards,
Amit
#7134
Posted: 07/30/2008 08:49:10
by Eugene Mayevski (EldoS Corp.)

Did you try monitoring by mask "c:\MyDir\*.*"?


Sincerely yours
Eugene Mayevski
#7173
Posted: 08/01/2008 07:59:56
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

I have masked 4 dir as below:

MASK CALLBACKS
----------------------------------------
C:\TestCBF\TestCreate\*.* --> CreateCallback
C:\TestCBF\TestOpen\*.* --> OpenCallback
C:\TestCBF\TestRename\*.* --> RenameCallback
C:\TestCBF\TestWrite\*.* --> WriteCallback

All these dir have few files in them (doc & txt). Each corresponding Callback function has just one line of code, which is to print a relevant Message Box with the IO performed.

Whenever I try to Rename a file and press enter to complete the operation, RenameCallback should get invoked & print the Message Box. But instead the machine reboots. Whenever any kind of Read Io takes place, it invokes the corresponding Message Box written in their respectiveCallback. But when we invoke any kind of Write IO, like Write File, Rename File, Create File, etc. it fails and reboots my machine.

I have tried this on a single dir with single Callback masked, still I face the same problem.

Is this expected behavior?


Regards,
Amit
#7177
Posted: 08/01/2008 09:36:04
by Eugene Mayevski (EldoS Corp.)

This issue happened with older builds of CallbackFilter drivers but was fixed since then. I am not sure whether this happened before or after the last public build. Next build is expected in about a week.


Sincerely yours
Eugene Mayevski
#7192
Posted: 08/04/2008 03:45:29
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi Eugene,

Thanks for acknowledging my problem. I am using the build available on the site (Release Candidate - 2 Version - 0.2.8) released on 7/22/8.

Is it possible for you to send us a patch which has the problem fixed, so that we can start using it.

My job is to evaluate the product for certain scenarios so that we can use it in our development. It would be great if you could mail us the patch or the new release at the earliest.

Warm Regards,
Amit
#7193
Posted: 08/04/2008 04:01:56
by Vladimir Cherniga (EldoS Corp.)

Hi,
try to install the attached driver(zippped), it contains some bug fixes.


[ Download ]
#7221
Posted: 08/05/2008 11:32:22
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi,

Thanks for the driver. It worked :)

We have a couple of queries. We are working on a CDP/Backup product for which I am evaluating Callback Filter driver. We want to capture all Write IOs on a particular file or DIR. I have modified the BaseFilter sample of yours, in such a way that when ever I try to write any thing to the file, it gives me a message that file is been written.

For this I have modified 'CbFltWriteFileC( )' func. This gets invoked whenever we try to write (WriteCallback) anything to the file present in the dir that we have masked while setting up the rules.

We are able to fetch the filename from 'FileName' parameter. But when we try to capture the 'Buffer' (4th parameter) and print it using MessageBoxW( ) it prints appropriate junk data. I am also trying to write the buffer contents to our io_log file, but it does not write anything over there. Why could this happen? We are not able to fetch the buffer properly.

Further to our investigation, we found that the 5th parameter, 'BytesToWrite' is 4096 bytes. I was assuming it to be the number of bytes written. So, if I write 10 bytes, it's value should be 10. What does this 4096 (4K) signify?

Also the 3rd parametr, 'Position' which must signify the Offset of the data in the file is always less than zero. I am testing it like...

if (Position > 0) {
MessageBoxA(...);
}

The Message box never gets invoked.

Could you throw some light on how are they to be accessed.

Also, if you have any ready made sample, where you have shown how to capture any Write IOs, please attach it in the mail, so that it will help us to understand its working quickly.

Thanks & Regards,
Amit
#7231
Posted: 08/06/2008 06:57:09
by Vladimir Cherniga (EldoS Corp.)

Callback FIlter interceptes Write/Read request only when they are targeted directly to the nonvolatile (disk) storage. In order to fulfill the requirements of system performance during file I/O operations the caching mechanism is used widely. It means that the most frequently used data may be stored in the system cache and they will be flushed to the disk storage after an indeterminate period of time.
About 'BytesPosition' and 'Offset' parameter of the Write/Read callbacks i could say that this values depends on actual storage block size and filesytem cluster size. This is a minimal value accessable to file system for read/write from the disk. So even if the file size is equal to 10 bytes, in reality this file may occupy 4096 byte of disk space. You can monitor the valid file size from the OnSetEOF callback, or request it from file system.
#7233
Posted: 08/06/2008 08:28:48
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi,

Thanks for the reply. The file size will depend on the block size, but the 'Position' variable should be the Offset at which the data captured by IO is to be written. Thats what I can understand.

Can you just tell us, how do be go about to create a real time replication and get the data which is changing using Callback Filter Driver ?

Thanks & Regards,
Amit
#7239
Posted: 08/06/2008 09:57:09
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi,

We are working on a backup product where we want to capture live IOs (all kind of Write IOs) during the initial backup process and store those IOs into a separate file (Queue). Once the backup is done, we have the control of the IOs captured and stored in a Queue to be applied to the respective files if required or ignored altogether. From the IOs captured we should be able to fetch the following 3 things:

1. File Name
2. Offset within the file
3. Actual changed data (no. of bytes modified)

Currently the function that we are using from Base Filter Sample is 'CbFltWriteFileC( )' which gets invoked at every Write IO. That is, whenever I save any thing in a file (as per the Mask set in the rule).

We get the Filename correctly but the position is always returned as 0 (zero). That means it returns back the whole data of the file in this particular Callback. This is what we have observed, while trying to fetch data of diff. file size. The data available is in 4K block size.

Which other Callback function should we use to achieve the above mentioned criteria?

Can we use Callback Filter driver to resolve the above mentioned problem? If yes, what is that we should look into ?

Thanks & Regards,
Amit
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 11680 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!