I am trying to create a filter driver to block file deletion operations, but I can't identify the IRP message on deleting files.
I worked with the code below; it works in windows 7 but not in windows version 8 or later.
if (pIrp->MajorFunction==IRP_MJ_WRITE || pIrp->MajorFunction==IRP_MJ_SET_INFORMATION ||
pIrp->MajorFunction==IRP_MJ_SET_VOLUME_INFORMATION || pIrp->MajorFunction==IRP_MJ_SET_SECURITY ||
pIrp->MajorFunction==IRP_MJ_SET_QUOTA)
{
DbgPrint("fdrv :Read only operation block");
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
exist 2 ways to delete file
FILE_DELETE_ON_CLOSE option (NtCreateFile,
NtOpenFile, IoCreateFile or NtDeleteFile also internal open
file with FILE_DELETE_ON_CLOSE ). in this case will be
IRP_MJ_CREATEZwSetInformationFile with FileDispositionInformation or
FileDispositionInformationEx. in this case will be
IRP_MJ_SET_INFORMATION--
union {
PVOID Buffer;
PFILE_DISPOSITION_INFORMATION pfdi;
PFILE_DISPOSITION_INFORMATION_EX pfdi_ex;
};
PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp);
switch (IrpSp->MajorFunction)
{
case IRP_MJ_SET_INFORMATION:
Buffer = Irp->AssociatedIrp.SystemBuffer;
switch (IrpSp->Parameters.SetFile.FileInformationClass)
{
case FileDispositionInformation:
if (pfdi->DeleteFile)
{
//
}
break;
case FileDispositionInformationEx:
if (pfdi_ex->Flags & FILE_DISPOSITION_DELETE)
{
//
}
break;
}
break;
case IRP_MJ_CREATE:
if (IrpSp->Parameters.Create.Options & FILE_DELETE_ON_CLOSE)
{
//
}
break;
}