EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Intercept Alternative Data Stream open/write/delete

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#20940
Posted: 07/31/2012 17:31:19
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi there,

Is it possible to intercept Alternative data stream accesses and prevent ADS deletions on certain files?

Thanks
#20941
Posted: 07/31/2012 18:08:42
by Vladimir Cherniga (EldoS Corp.)

Hi, you may set a mask like "*:*" in filter rule and handle ADS access.
#20950
Posted: 08/01/2012 04:53:29
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi,

I tried this but it does not seem to work. Perhaps I am using it incorrectly.

I have 3 instances of Callback Filter in my project (the first two work perfectly):

1 to handle OpenCallbacks
1 to handle WriteNotify/CreateNotify
1 to handle ADS deletion

The third filter fails to fire the callback when an ADS delete is attempted (using AlternateStreamView - from NirSoft).

Any thoughts?
#20951
Posted: 08/01/2012 05:07:29
by Vladimir Cherniga (EldoS Corp.)

Did you try to handle ADS delete with CanFileBeDeleted callback ? I've tested with streams tool from sysinternals, trying to delete a simple data stream from the text file (1.txt:2.txt)
#20952
Posted: 08/01/2012 05:17:35
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

I sure did. See below for how I defined the filters and callbacks...

Code
mReadFilter.AddFilterCallbackRule(@"*.txt"e, CbFltCallbackFlags.OpenCallback | CbFltCallbackFlags.RenameCallback | CbFltCallbackFlags.RenameNotify);

mADSFilter.OnCanFileBeDeletedC = CanSensitiveADSFileBeDeletedC;
mADSFilter.AddFilterCallbackRule(@"*:marker*" , CbFltCallbackFlags.DeleteCallback);

mWriteFilter.AddFilterCallbackRule(@"*.*", CbFltCallbackFlags.WriteNotify | CbFltCallbackFlags.CreateNotify);


where
Code
private CallbackFilter mReadFilter = new CallbackFilter();
private CallbackFilter mWriteFilter = new CallbackFilter();
private CallbackFilter mADSFilter = new CallbackFilter();
#20953
Posted: 08/01/2012 05:40:43
by Vladimir Cherniga (EldoS Corp.)

How do you handle delete callback ? Does it work with streams.exe /d <filename> (find this tool on sysinternals.com)
#20987
Posted: 08/02/2012 08:11:15
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

It does work with streams but not the tool mentioned above. Weird.
#20988
Posted: 08/02/2012 14:12:06
by Vladimir Cherniga (EldoS Corp.)

Will check this a.s.a.p.
#21024
Posted: 08/12/2012 01:18:02
by Vladimir Cherniga (EldoS Corp.)

Quote
It does work with streams but not the tool mentioned above. Weird.

Actually it works in the same way as with streams tool. If you update stream list after deleting, then it show "deleted streams" again. It does happened silently, because you just return FALSE from OnFileDelete callback. To raise an error from callback request, you must throw an exception from callback function.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2873 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!