EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Missing write-notifications

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
Posted: 02/12/2015 09:43:05
by Chris Spiteri (Standard support level)
Joined: 10/06/2014
Posts: 57


I am writing a tool (C#/.NET) to help me with troubleshooting/verification of file-writes. The tool uses the CbFilter and works as follows:

1. adds 2 filter notification rules (WriteNotify, SetSizesNotify) to a target file of 2Gb;
2. assigns callbacks to CbFlt.OnWriteFileN, CbFlt.OnSetAllocationSizeN, CbFlt.OnSetEndOfFileN so that the offset and sizes of the writes, and eof positions are logged;
3. opens the target file, writes a 50Mb chunk of data at offset 10Mb, and pauses for 1 minute to give time for the notification callbacks to execute;

When i ran the tool I noticed that the OnWriteFileN callback was only detecting 16 writes of 1Mb each; the notifications for the remaining 34Mb remained unaccounted for.

I then moved the writing operation to a different process, and modified the tool to just monitor the target file using the same rules and callbacks. Using this setup, the tool detected all write notifications from the other process: 136 writes of 262144 bytes each, and 16 writes of 1Mb each, adding up to 50Mb.

I repeated the original test and used ProcessMonitor to monitor the write-activity from the tool on the target file: ProcessMonitor successfully detected all the writes, while the filter did not. Analysing the data from ProcessMonitor, I noticed that the same 136 writes of 262144 bytes each originated from the tool itself, while the remaining 16Mb writes originated from 'System'. My suspicion is that the filter is only detecting the writes originating from 'System'.

I am running filter v3.1.75.48

My question is: is there a known limitation which prevents the process hosting the filter from detecting write activity originating from itself?

Thanks in advance, and best regards,
Posted: 02/12/2015 10:11:06
by Eugene Mayevski (EldoS Corp.)

The filter by default tracks non-cached writes, ie. writes going from the cache to the disk.

Please set ProcessCachedReadWriteCallbacks property to true and check if the issue still exists.

Sincerely yours
Eugene Mayevski
Posted: 02/12/2015 10:38:39
by Chris Spiteri (Standard support level)
Joined: 10/06/2014
Posts: 57

Unfortunately setting ProcessCachedReadWriteCallbacks to true did not make any difference to the behaviour I described.

Posted: 02/12/2015 11:19:05
by Vladimir Cherniga (EldoS Corp.)

FilterOwnProcess property is false by default. This is prevent a callback raising originated from the same process where CallbackFilter is running.
Posted: 02/12/2015 11:38:49
by Chris Spiteri (Standard support level)
Joined: 10/06/2014
Posts: 57

That worked, thanks!

(Property is OwnProcessFiltered in my build)
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.



Topic viewed 2748 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!