Search code examples
driverminifilter

Block access to specific path with minifilters


I am trying to write a minifilter that block access to any file within a specific path. I have been able to do it for any path in C:. This is what I´ve done. First, I declare:

const WCHAR* internal_drives[] = { L"C:" };

Then, in instant_setup I start the minifilter for C: by doing:

        int internal_drives_length = sizeof internal_drives / sizeof * internal_drives;
        for (size_t i = 0; i < internal_drives_length; i++)
        {
            if (wcscmp(ctx->Name.Buffer, internal_drives[i]) == 0)
            {
                status = STATUS_SUCCESS;
            }
        }

I can block access to C: then by adding in functions: mini_pre_create, mini_post_create:

    status = STATUS_ACCESS_DENIED;
    data->IoStatus.Status = status;
    data->IoStatus.Information = 0;

That works, I am able to block the access to any file in C:

But I´d like to be able to specify to which folder I want to block the access. I´ve trying specifying the path in the variable internal_drives but It does not work, I am blocking nothing :

const WCHAR* internal_drives[] = { L"D:\\path" };

Am I missing something? is there a more correct way to do this with minifilters? I am a complete beginner with minifilters.


Solution

  • You setup to the drivers, then you filter in the specific IRP_MJ_CREATE. To do that, you have to use FltGetFileNameInformation plus FltParseFileNameInformation.

    Do note that the filesystem does not work with DOS name drive letters, so you will have to transform \Device\Harddiskvolumex\folder\file.txt to c:\folder\file.txt. You can do that mapping on setup.