Is it possible to drop IRPs in File System Filter Drivers?
https://stackoverflow.com/questions/8582334
-
23-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a couple of signatures and I want to build a File System Filter Driver which can check all possible operations with the signatures. If a match is found than the Filter Driver should drop the IRP packet completely.
Is it possible to do that?
Solution
Yes.
You're describing what just about every anti-virus package does. You'll need to brush up on your NT-kernel mode development chops, and get familiar with File System MiniFilters. You'll also want to start lurking on OSR NTFSD listserv.
A filter driver cannot "drop an IRP completely". What it CAN do is complete them before lower drivers see them, or in the case of IRP_MJ_CREATE, cancel them before in a post operation callback.
Buckle up, you're in for a bumpy ride :)
