|
vafoqome wrote: I need help with backtracking question.
Helping you is not solving the problem for you.
Show your work so far, and explain problem you encounter.
Patrice
“Everything should be made as simple as possible, but no simpler.” Albert Einstein
|
|
|
|
|
Hi.
Please help me.
First of all, I hope you understand that the sentence structure can be strange as I ask questions using a translator machine.
I am developing a mini filter driver that prohibits reading from drivers other than the local disk drive.
However, IRP_MJ_CREATE does so much.
For example, it is also used to create volume drives the moment I open Explorer.
I don't want IRP_MJ_CREATE to be used when volume drives are created the moment I open Explorer.
Currently, I have registered IRP_MJ_CREATE in preOperation.
In the preOperation function, if it is not a local disk drive,
Data->IoStatus.Status = STATUS_NO_SUCH_PRIVILEGE;
Data->IoStatus.Information = 0;
It has been coded to make this work work.
Then, the moment I turned on Explorer, even the volume drives other than the local disk drive became inaccessible.
The first thing I want is that when Explorer opens, the volume drive will show up as accessible just like a local drive.
Second, I want files to be prevented from being read (prohibited to execute) when entering the volume drive.
I think the words are simple, but I think you need advanced technology. Still, I would be grateful for any help.
Thank you.
|
|
|
|
|
Hi,
I have not worked with mini filter drivers for about six years. But here are some things I think may help:
1.) In your PFLT_PRE_OPERATION_CALLBACK[^] callback you should probably allow anything originating from kernelmode to pass through. You can do this with ExGetPreviousMode[^] which will return KernelMode for file operations originating from the Windows kernel.
2.) After you have allowed kernelmode file operations to pass unmolested you can get the process ID of the usermode process performing the i/o with PsGetCurrentProcessId[^] and filter out whatever you want to pass through.
I don't normally send anyone away from codeproject.com but since I know that at least half of the Devices and Drivers team are active on the site I will defer you over to the NTFSD forum over at community.osr.com[^] where they are working with minifilters on a daily basis.
Best Wishes,
-David Delaune
|
|
|
|
|
Oh, thank you so much for the answer.
There is still a lot to learn about the mini filter, so it is difficult to say it, but I will find it and try it.
And thank you for telling me a good site.
Thanks a lot.
|
|
|
|
|
Hi,
I see that you have posted an entirely different question on the OSR website. You are now asking how to filter out directories.
You can use the FltIsDirectory function[^] to check if the file object is a directory.
Best Wishes,
-David Delaune
|
|
|
|
|
Thank you for answer.
It takes some time to write the answer using a translation machine lol.
The article I wrote is correct.
I thought the text I wrote here was a bit ambiguous, so I made some corrections to write it.
Ultimately, What I have to do control what files(directories) are read (run) and written(modified, deleted) in usb drive, cd-rom drive, portable drive etc except for local drive(e.g. C drive D drive).
However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this.
I think the question I posted here must have been a little bit more stranger than that on the osr website.
First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point.
There are many things that create something in the samples provided by Microsoft, but nothing prevents it.
Is there anything you can do to help?
I am waiting for your answer.
|
|
|
|
|
Member 14872681 wrote: Is there anything you can do to help? I am waiting for your answer. If you ask a very specific question (narrow in scope) you will probably get an answer.
Member 14872681 wrote: First of all, I want to do anything, whether I am blocking reading or writing, but I can't get a starting point. Most of the minifilter samples are located here: File system driver samples[^]
There are probably over a dozen more minifilter samples in older versions of the Windows DDK if you have them. Unfortunately I don't think they are being distributed anymore.
The code samples are a good place to start.
Best Wishes,
-David Delaune
|
|
|
|
|
Hi
Okay, I'm understand your reply.
Let's start with a sample.
I think I'm going to post a question while working on it, but if you see my article and have something helpful, please answer me.
Thank you.
|
|
|
|
|
Member 14872681 wrote: However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this.
That is a good approach. The more you put into a single question, the more time it takes for everyone to read, and the less likely it is you will get a useful answer.
However, it wouldn't hurt to mention that you are working on a larger problem and point to the related posts you made, so anyone willing to help can get a better look at the whole picture.
Also, I like how you approach the translation. You keep sentences short and concise, that makes it harder for the translation engine to mess up the meaning.
(Sorry, I can't help with your problem. But I still felt that it's worth congratulating you on doing a good job asking questions - that is a rare skill nowadays!)
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|
I am trying out VirtualDisk APIs, So far I am able to Open a VHDX file, get some of the properties by using GetVirtualDiskInformation. But I am not able to get RCT information and ChangedAreas.
1)Opendisk is done with VIRTUAL_DISK_ACCESS_GET_INFO flag.
2)GetVirtualDiskInformation
a. Works fine when version flag is set to GET_VIRTUAL_DISK_INFO_SIZE, able to fetch sector size and other information
b. Gives ERROR_INSUFFICIENT_BUFFER(122) when version flag is set to GET_VIRTUAL_DISK_INFO_CHANGE_TRACKING_STATE to access diskInfo->ChangeTrackingState.MostRecentId
PGET_VIRTUAL_DISK_INFO diskInfo;
ULONG diskInfoSize = sizeof(GET_VIRTUAL_DISK_INFO);
std::wcout << "size of diskinfo structure " << diskInfoSize << std::endl;
diskInfo = (PGET_VIRTUAL_DISK_INFO)malloc(diskInfoSize);
diskInfo->Version = GET_VIRTUAL_DISK_INFO_SIZE;
res = GetVirtualDiskInformation(vhdHandle, &diskInfoSize, diskInfo, NULL);
long physicalSize = diskInfo->Size.PhysicalSize;
long virtualSize = diskInfo->Size.VirtualSize;
long sectorSize = diskInfo->Size.SectorSize;
long blockSize = diskInfo->Size.BlockSize;
std::wcout << "physicalSize :" << physicalSize << std::endl;
std::wcout << "virtualSize :" << virtualSize << std::endl;
std::wcout << "sectorSize :" << sectorSize << std::endl;
std::wcout << "blockSize :" << blockSize << std::endl;
diskInfo->Version = GET_VIRTUAL_DISK_INFO_CHANGE_TRACKING_STATE;
res = GetVirtualDiskInformation(vhdHandle, &diskInfoSize, diskInfo, NULL);
std::wcout << "\nrct id:" << diskInfo->ChangeTrackingState.MostRecentId << std::endl;
3)queryChangesVirtualDisk gives ACCESS DENIED.
ULONG64 byteOffset = 0L;
ULONG64 byteLength = 19327352832;
QUERY_CHANGES_VIRTUAL_DISK_RANGE* changedAreas = NULL;
ULONG rangeCount = 0L;
ULONG64 processedLength = 0L;
res = QueryChangesVirtualDisk(vhdHandle, "rctX:c2eb01d9:ccb1:405d:acb6:f0e76d055906:00000001",
byteOffset, byteLength,
QUERY_CHANGES_VIRTUAL_DISK_FLAG_NONE,
changedAreas, &rangeCount, &processedLength);
Can someone please give some ideas on what I am doing wrong?
|
|
|
|
|
Quote: This value is not supported before Windows 10 and Windows Server 2016.
It was only in wine that he laid down no limit for himself, but he did not allow himself to be confused by it.
― Confucian Analects: Rules of Confucius about his food
|
|
|
|
|
Hi Gerry,
I am trying in a Windows2016 hyperV, and guest VM has windows 10.
Also, I am able to get changed blocks by using WMI queries.
But VHD API is giving ACCESS_DENIED_ERROR.
Regards,
Hari
|
|
|
|
|
The first thing I'd do is confirm "without" a VM. And then I'd try Oracle's VmBox. Then try running as "admin" in the VM, etc.
It was only in wine that he laid down no limit for himself, but he did not allow himself to be confused by it.
― Confucian Analects: Rules of Confucius about his food
|
|
|
|
|
Hi,
I do see at least one problem in your code:
ULONG diskInfoSize = sizeof(GET_VIRTUAL_DISK_INFO); should be changed to:
ULONG diskInfoSize = sizeof(GET_VIRTUAL_DISK_INFO) + sizeof(GUID);
cazorla19 wrote: queryChangesVirtualDisk gives ACCESS DENIED. Could you show me the flags you are passing to OpenVirtualDisk?
Best Wishes,
-David Delaune
|
|
|
|
|
Hi David,
I have tried OpenVirtualDisk with VIRTUAL_DISK_ACCESS_GET_INFO as suggested in msdn portal.
I also tried with VIRTUAL_DISK_ACCESS_READ, both times I got same error.
OPEN_VIRTUAL_DISK_PARAMETERS openParameters;
openParameters.Version = OPEN_VIRTUAL_DISK_VERSION_1;
openParameters.Version1.RWDepth = OPEN_VIRTUAL_DISK_RW_DEPTH_DEFAULT;
_VIRTUAL_STORAGE_TYPE storageType;
storageType.DeviceId = VIRTUAL_STORAGE_TYPE_DEVICE_UNKNOWN;
storageType.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_UNKNOWN;
DWORD res = OpenVirtualDisk(&storageType, path,
VIRTUAL_DISK_ACCESS_GET_INFO,
OPEN_VIRTUAL_DISK_FLAG_NONE,
&openParameters,
&vhdHandle);
Also, I changed diskInfoSize as suggested but still got the same 'insufficient buffer size' error.
ULONG diskInfoSize = sizeof(GET_VIRTUAL_DISK_INFO) + sizeof(GUID);
Increasing the diskinfo size definitely helped me in getting rct id using GetVirtualDiskInformation,
WCHAR changeTrackingInfo[2048];
ZeroMemory(changeTrackingInfo, sizeof(changeTrackingInfo));
PGET_VIRTUAL_DISK_INFO diskInfo;
ULONG diskInfoSize = sizeof(GET_VIRTUAL_DISK_INFO) + sizeof(changeTrackingInfo);
queryChangesVirtualDisk gives ACCESS DENIED is not resolved.
Regards,
Hari
modified 19-Aug-20 1:59am.
|
|
|
|
|
Hi Hari,
Kinda looks like you are breaking the rules of nearly everything in the Remarks section for the OpenVirtualDisk function for a permanently attached virtual disk.
This is working for me, code is ugly, there is no error handling... it's just a code sample:
#include <iostream>
#include <windows.h>
#include <virtdisk.h>
#include <tchar.h>
#include <comdef.h>
#include <atlcomcli.h>
#include <wbemidl.h>
#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib, "virtdisk.lib")
const GUID VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = {0xec984aec, 0xa0f9, 0x47e9, 0x90, 0x1f, 0x71, 0x41, 0x5a, 0x66, 0x34, 0x5b};
const GUID VIRTUAL_STORAGE_TYPE_VENDOR_UNKNOWN = { 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
int main()
{
HANDLE vhdHandle = NULL;
VIRTUAL_STORAGE_TYPE storageType = {};
ULONG status = 0L;
storageType.DeviceId = VIRTUAL_STORAGE_TYPE_DEVICE_UNKNOWN;
storageType.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_UNKNOWN;
PCWSTR virtualDiskPath = L"D:\\VirtualMachines\\x64_Windows8.1\\x64_Windows8.1\\Virtual Hard Disks\\x64_Windows8.1.vhdx";
OPEN_VIRTUAL_DISK_PARAMETERS* pOpenParameter = NULL;
status = OpenVirtualDisk(&storageType, virtualDiskPath,VIRTUAL_DISK_ACCESS_ATTACH_RW | VIRTUAL_DISK_ACCESS_GET_INFO | VIRTUAL_DISK_ACCESS_DETACH,OPEN_VIRTUAL_DISK_FLAG_NONE, pOpenParameter, &vhdHandle);
if (ERROR_SUCCESS == status)
{
DWORD sizeUsed = GET_VIRTUAL_DISK_INFO_SIZE;
WCHAR changeTrackingInfo[sizeof(GET_VIRTUAL_DISK_INFO) + sizeof(GUID)];
::ZeroMemory(changeTrackingInfo, sizeof(changeTrackingInfo));
PGET_VIRTUAL_DISK_INFO virtualDiskInfo = (GET_VIRTUAL_DISK_INFO*)changeTrackingInfo;
virtualDiskInfo->Version = (GET_VIRTUAL_DISK_INFO_VERSION)GET_VIRTUAL_DISK_INFO_CHANGE_TRACKING_STATE;
ULONG virtualDiskInfoSize = sizeof(changeTrackingInfo);
status = GetVirtualDiskInformation(vhdHandle, &virtualDiskInfoSize, virtualDiskInfo, &sizeUsed);
if (ERROR_SUCCESS == status)
{
ULONG64 virtualDiskSize = virtualDiskInfo->Size.VirtualSize;
printf("Disk Infomation:\n");
GUID virtualDiskGuid = virtualDiskInfo->Identifier;
wchar_t szGUID[64] = { 0 };
StringFromGUID2(virtualDiskGuid, szGUID, 64);
wprintf(L"ChangeTrackingState.Enabled:%d\n", virtualDiskInfo->ChangeTrackingState.Enabled);
wprintf(L"ChangeTrackingState.MostRecentId:%s\n", virtualDiskInfo->ChangeTrackingState.MostRecentId);
wprintf(L"Identifier\t= %s\n", szGUID);
wprintf(L"Physical Size\t= %I64u\n", virtualDiskInfo->Size.PhysicalSize);
wprintf(L"Virtual Size\t= %I64u\n", virtualDiskInfo->Size.VirtualSize);
wprintf(L"Sector Size\t= %u\n", virtualDiskInfo->Size.SectorSize);
wprintf(L"Block Size\t= %u\n", virtualDiskInfo->Size.BlockSize);
}
}
return 0;
}
Best Wishes,
-Rubeus Hagrid
|
|
|
|
|
Many thanks for your inputs.
Tried your sample code in my environment, OpenVirtualDisk failed with 32 ERROR_SHARING_VIOLATION.
Steps I have followed till now,
1. Create a production snapshot on the VM.
2. Convert the snapshot to the reference point(snapshot gets merged automatically) using wmi commands.
3. Added some files to VM disk.
4. Create another production snapshot on the VM so that any changes in VM will be written to avhdx file.
5. Try to open the parent vhdx using VHD APIs.
6. Get a resilient change tracking identifier using ChangeTrackingState.MostRecentId
7. Query for changed areas using VHD API QueryChangesVirtualDisk.
So far I am able to get till step six by passing only VIRTUAL_DISK_ACCESS_GET_INFO flag for OpenVirtualDisk. step 7 gives ACCESS_DENIED.
void openDiskEx()
{
HANDLE vhdHandle = NULL;
VIRTUAL_STORAGE_TYPE storageType = {};
ULONG status = 0L;
storageType.DeviceId = VIRTUAL_STORAGE_TYPE_DEVICE_UNKNOWN;
storageType.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_UNKNOWN;
PCWSTR virtualDiskPath = L"C:\\Hyper-V\\Virtual Hard Disks\\Lacazette\\Windows2016.vhdx";
OPEN_VIRTUAL_DISK_PARAMETERS* pOpenParameter = NULL;
status = OpenVirtualDisk(&storageType, virtualDiskPath, VIRTUAL_DISK_ACCESS_ATTACH_RW | VIRTUAL_DISK_ACCESS_GET_INFO | VIRTUAL_DISK_ACCESS_DETACH, OPEN_VIRTUAL_DISK_FLAG_NONE, pOpenParameter, &vhdHandle);
std::cout << "opendisk:" << status<< std::endl;
if (ERROR_SUCCESS == status)
{
DWORD sizeUsed = GET_VIRTUAL_DISK_INFO_SIZE;
WCHAR changeTrackingInfo[sizeof(GET_VIRTUAL_DISK_INFO) + sizeof(GUID)];
::ZeroMemory(changeTrackingInfo, sizeof(changeTrackingInfo));
PGET_VIRTUAL_DISK_INFO virtualDiskInfo = (GET_VIRTUAL_DISK_INFO*)changeTrackingInfo;
virtualDiskInfo->Version = (GET_VIRTUAL_DISK_INFO_VERSION)GET_VIRTUAL_DISK_INFO_CHANGE_TRACKING_STATE;
ULONG virtualDiskInfoSize = sizeof(changeTrackingInfo);
status = GetVirtualDiskInformation(vhdHandle, &virtualDiskInfoSize, virtualDiskInfo, &sizeUsed);
std::cout << "GetVirtualDiskInformation:" << status << std::endl;
if (ERROR_SUCCESS == status)
{
ULONG64 virtualDiskSize = virtualDiskInfo->Size.VirtualSize;
printf("Disk Infomation:\n");
GUID virtualDiskGuid = virtualDiskInfo->Identifier;
wchar_t szGUID[64] = { 0 };
StringFromGUID2(virtualDiskGuid, szGUID, 64);
wprintf(L"ChangeTrackingState.Enabled:%d\n", virtualDiskInfo->ChangeTrackingState.Enabled);
wprintf(L"ChangeTrackingState.MostRecentId:%s\n", virtualDiskInfo->ChangeTrackingState.MostRecentId);
wprintf(L"Identifier\t= %s\n", szGUID);
wprintf(L"Physical Size\t= %I64u\n", virtualDiskInfo->Size.PhysicalSize);
wprintf(L"Virtual Size\t= %I64u\n", virtualDiskInfo->Size.VirtualSize);
wprintf(L"Sector Size\t= %u\n", virtualDiskInfo->Size.SectorSize);
wprintf(L"Block Size\t= %u\n", virtualDiskInfo->Size.BlockSize);
}
}
CloseHandle(vhdHandle);
}
Regards,
Hari
|
|
|
|
|
cazorla19 wrote: OpenVirtualDisk failed with 32 ERROR_SHARING_VIOLATION.
That obviously means that the virtual disk is locked/mounted and being used by another process. Are you trying to read the change tracking on running Hyper-V virtual machine? I don't think you can do that.
|
|
|
|
|
Yes, I am trying to read the change tracking information when the Virtual machine is online.
|
|
|
|
|
Ok,
If you can't read the change tracking information from an Administrator account with both SE_BACKUP_NAME and SE_MANAGE_VOLUME_NAME privileges then I don't think it will be possible. Also since the virtual drive is mounted you should change the access mask from VIRTUAL_DISK_ACCESS_ATTACH_RW to VIRTUAL_DISK_ACCESS_ATTACH_RO.
I am actually in a Hyper-V environment right now so if I get some time later today I will look into it more. The code sample I gave you is working for me on my offline virtual machines.
Best Wishes,
-David Delaune
|
|
|
|
|
hi, have you resolve the problem?
|
|
|
|
|
How can I convert AAC file Wav file using C++ and Microsoft Media Foundation?
|
|
|
|
|
Study the documentation for the two file types. Then study the documentation for the framework you plan to use.
|
|
|
|
|
|
I need to initialize a 3rd party library when doing some/most of our unit tests.
We have a working homemade framework with an entry point (_tmain) where we can do all initialization for all our tests.
I can't seem to find the equivalent with CppUnitTestFramework.
I don't want to add a wrapper to do the 3rd party library initialization for each unit test.
Can I do such a thing ?
Thanks.
I'd rather be phishing!
|
|
|
|
|