I am trying to write a minifilter that block access to any file within a specific path. I have been able to do it for any path in C:. This is what I´ve done. First, I declare:
const WCHAR* internal_drives[] = { L"C:" };
Then, in instant_setup I start the minifilter for C: by doing:
int internal_drives_length = sizeof internal_drives / sizeof * internal_drives;
for (size_t i = 0; i < internal_drives_length; i++)
{
if (wcscmp(ctx->Name.Buffer, internal_drives[i]) == 0)
{
status = STATUS_SUCCESS;
}
}
I can block access to C: then by adding in functions: mini_pre_create, mini_post_create:
status = STATUS_ACCESS_DENIED;
data->IoStatus.Status = status;
data->IoStatus.Information = 0;
That works, I am able to block the access to any file in C:
But I´d like to be able to specify to which folder I want to block the access. I´ve trying specifying the path in the variable internal_drives but It does not work, I am blocking nothing :
const WCHAR* internal_drives[] = { L"D:\\path" };
Am I missing something? is there a more correct way to do this with minifilters? I am a complete beginner with minifilters.
You setup to the drivers, then you filter in the specific IRP_MJ_CREATE. To do that, you have to use FltGetFileNameInformation plus FltParseFileNameInformation.
Do note that the filesystem does not work with DOS name drive letters, so you will have to transform \Device\Harddiskvolumex\folder\file.txt to c:\folder\file.txt. You can do that mapping on setup.