2

I would like to either host a virtual drive and intercept the I/O, or intercept I/O calls to certain folders on a hard drive, and do arbitrary things to that call like write the file to a 2nd location. For example, if Notepad.exe writes a file to C:\Data\test.txt - I would like to have access to that file name, and the data of the file. Likewise, I would like to run arbitrary code when any user attempts to read C:\Data\test.txt or attempts to get a directory listing for C:\Data.

Ideally I want to have a handler for when a file is: created, updated, deleted, or opened - and when someone does a directory listing (from command-line or from the Shell).

I can do the write part with FileSystemWatcher - but I can't intercept disk "reads". So, I next looked into MS Detours and EasyHook. That won't really work because I'd need to monitor every single process on the computer and hook to OpenFile on ALL of them. I don't want to use a Shell Extension because this behavior needs to exist from the command-line too. So, that leaves either writing a File System MiniFilter driver - or writing my own installable file system in C++.

I can have some portion of this in C++ - although the driver stuff is a bit over my head, but ultimately most of the rest of code should be in C#, ideally.

Is there some straightforward way to intercept I/O to a specific folder or virtual drive? If the answer is with EasyHook or a MiniFilter, does anyone have any samples? EasyHook in particular only has samples from the late-2000s and the API has changed since then. Thanks!

Robert Seder
  • 1,390
  • 1
  • 9
  • 19
  • 1
    If you have a sufficiently large budget, I believe there is at least one third-party product that implements a programmable file system filter driver. – Harry Johnston May 19 '14 at 01:10
  • That's not out of the question. I looked and I couldn't find anything that quite did this. Can you recommend any product? – Robert Seder May 19 '14 at 01:14
  • 1
    Not from personal experience, no. But I did find the reference to the product I was thinking of: see http://stackoverflow.com/a/3541555/886887 – Harry Johnston May 19 '14 at 01:28
  • 1
    Actually on second thoughts I'm not sure that's the right product, but fairly sure it's the right company. At any rate worth contacting the author and asking. – Harry Johnston May 19 '14 at 01:30
  • Oh wow, this seems very promising - thanks! However, when the website is THIS evasive about pricing, that can't be a good sign! Thanks though – Robert Seder May 19 '14 at 01:39
  • 1
    I know Sandboxie has a API [you can hook in to](http://www.sandboxie.com/index.php?SBIE_DLL_API), if what the API provides will help you or not, I have no idea. – Scott Chamberlain May 19 '14 at 04:25
  • @ScottChamberlain thanks - but that is similar to EasyHook. Instead of hooking into the file system (regardless of the calling process), with this, you can only hook into processes. So, if I want to monitor the entire file system, I'd have to literally hook into every running process. That obviously is not good from a stability nor performance standpoint. Thanks though! – Robert Seder May 19 '14 at 11:15

1 Answers1

1

Looks like an XY problem. What you seem to want are reparse point handlers.

Your example of "writing a file to another location" is just a link, and those already exist. Implemented by a standard reparse point handler.

You don't specify exactly what else you want to do, but similar things can be done by custom reparse point handlers. In short, a reparse point is a small bit of data in place of a file, which (1) specifies which handler should be called, and (2) provides custom data to that handler. For instance, the actual location of the file. Since it's custom data, you can use any format you like.

MSalters
  • 173,980
  • 10
  • 155
  • 350
  • Well, writing to another location is just one scenario. I in essence, need complete control over what a directory "looks like" to an end-user. Some virtual files might point to a physical file on disk, some items are in-memory, and I also need to manipulate the file contents in some cases too. thanks! – Robert Seder May 19 '14 at 11:09
  • @RobertSeder: That just reinforces my belief that you're asking the wrong questions because you already have half a solution in mind. For instance, the end user view of the file system is Explorer. Which already can integrate things like the mobile phone view, printers panel or control panel. I think there's an example project which integrates the registry in there, too. – MSalters May 19 '14 at 13:52
  • No, most functionality will be done via command-line - NOT through the shell! – Robert Seder May 19 '14 at 18:20
  • In that case, reparse points. But what do you mean by "some items are in memory"? _Whose_ memory? – MSalters May 20 '14 at 07:38
  • This isn't an anti-virus program, but you can think of it like that. The AV program intercepts a file being saved to disk, it has access to the bytes of the file and if it finds something of interest, it may cancel the write and write the file to some other destination on disk. Likewise, when a user queries the contents of a folder, I need to have control over the file/folder list that is given to them. So, complete control over the I/O of either a folder or a virtual drive. Whose memory - is the memory in my process. – Robert Seder May 20 '14 at 13:35