tag:blogger.com,1999:blog-971876119771204189.post1776208073301305013..comments2024-03-12T22:24:25.119-07:00Comments on Of Filesystems And Other Demons: FILE_OBJECT Names in IRP_MJ_CREATEAnonymoushttp://www.blogger.com/profile/04456600991354270152noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-971876119771204189.post-35198204198929224842012-01-06T09:13:05.960-08:002012-01-06T09:13:05.960-08:00If you're trying to prevent writing to a PE fi...If you're trying to prevent writing to a PE file by failing to open it (by returning STATUS_ACCESS_DENIED in IRP_MJ_CREATE) then it makes sense that the filter doesn't block the operation because the file MZ is not a PE file when it is opened (because it only contains the MZ characters but no PE header so it's not a PE file). It will become a PE file after all the writing is done, but you cannot know that in advance.<br />In general when writing to a file (or creating a new file) it is impossible to know at the time of the IRP_MJ_CREATE what the file will become after all the writing is done.<br /><br />Thanks,<br />Alex.Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-25384367018783025282012-01-06T04:44:27.073-08:002012-01-06T04:44:27.073-08:00Hello,
I have a legacy fs filter driver that bloc...Hello,<br /><br />I have a legacy fs filter driver that blocks PE write when returns STATUS_ACCESS_DENNID, in IRP_MJ_CREATE. It works most of the time but not the following condition:<br />C:> type CALC >> MZ,<br />where CALC is calc.exe with the characters 'MZ' removed, and MZ is a text file with only 'MZ' in it.<br />The piping/redirector action is to rebuild a PE file.<br /><br />It seems it is nothing to do with FastIo either.<br /><br />I have searched on the Net for a long time with no answer. I am hoping someone may advise how to block such an I/O.<br /><br />Thank you in advance.Anonymousnoreply@blogger.com