EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Win api CreateFile() intercept

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#23009
Posted: 12/30/2012 22:54:43
by Vishnu Venkatesh (Basic support level)
Joined: 12/27/2012
Posts: 19

What events would intercept a call to win api CreateFile() ? I tried to enable all the events, but none of them intercept this call. Process Monitor shows this as IRP_MJ_CREATE.

Thanks.
#23010
Posted: 12/30/2012 23:13:58
by Vishnu Venkatesh (Basic support level)
Joined: 12/27/2012
Posts: 19

Here's the code I have written in the user mode...

Code
   LPTSTR fileName = L"C:\\tmp\\filesize.txt";
   HANDLE handle = CreateFileW(fileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if(handle == INVALID_HANDLE_VALUE)
   {
      AddToLog((LPCWSTR) "invalid handle");
   }

   CloseHandle(handle);



Filter is set to c:\tmp\*.*

Callbacks enabled:

Code
   g_CbFlt.AddFilterCallbackRule(text, (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::ReadCallback |
      CallbackFilter::WriteCallback |
      CallbackFilter::CreateCallback |
      CallbackFilter::RenameCallback |
      //CallbackFilter::SetSizesCallback |
      CallbackFilter::GetSizesCallback |
      CallbackFilter::DeleteCallback |
      CallbackFilter::SetBasicInfoCallback |
      CallbackFilter::EnumerateDirectoryCallback |
      CallbackFilter::OpenCallback |
      CallbackFilter::CloseCallback
      ));
#23012
Posted: 12/31/2012 00:03:35
by Eugene Mayevski (EldoS Corp.)

Does the sample work for you? If it does, please take the sample and find the differences between your code and the sample.


Sincerely yours
Eugene Mayevski
#23014
Posted: 12/31/2012 10:07:14
by Vishnu Venkatesh (Basic support level)
Joined: 12/27/2012
Posts: 19

Quote
Eugene Mayevski wrote:
Does the sample work for you? If it does, please take the sample and find the differences between your code and the sample.


Eugene - which sample would that be? I looked the BaseFilter, EncryptXOR and FileMon samples.

All these samples work when the CreateFileW() call comes from an app outside of the dialog.

When the CreateFileW() win api is called within the dialog as I have shown in the code above, then the callback (for OpenFile??) is not fired.

The only difference I found - and I don't know if this means anything - is that I have called CreateFileW() with GENERIC_READ and share mode to be 0 whereas other calls are 0 and FILE_SHARE_READ | FILE_SHARE_WRITE.
#23015
Posted: 12/31/2012 12:25:51
by Vladimir Cherniga (EldoS Corp.)

Quote
When the CreateFileW() win api is called within the dialog as I have shown in the code above, then the callback (for OpenFile??) is not fired.

You should use CallbackFilter.FilterOwnProcess to enable callback events for the process that that initiate filtering with AttachFilter() . It is disabled by default as it could deadlock your application with a callbacks recursion.
#23022
Posted: 01/01/2013 11:43:08
by Vishnu Venkatesh (Basic support level)
Joined: 12/27/2012
Posts: 19

Thank you Vladimir - that makes sense.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2069 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!