1

im currently getting into security stuff and trying to build a basic "access limiter" which should register if a file or folder in a specific directory (including subdirectories) is created, changed, deleted etc.

I already figured out how to do it after the action took place using FileSystemWatcher, but I want to catch the request / event before it happens to process it. I already searched a while but haven`t really found a solution yet.

If something like this is possible I would be grateful for tips or short samples / references. Thanks in advance.

Alireza
  • 4,976
  • 1
  • 23
  • 36
ThexBasic
  • 715
  • 1
  • 6
  • 24
  • 3
    Is your program going to do anything that couldn't be better done with standard Windows file permissions? – Blorgbeard Jul 30 '14 at 21:46
  • Thanks @Blorgbeard. It's my concern too – Alireza Jul 30 '14 at 21:47
  • Its more about limiting access of specific files to a specific process / programm or rather getting a notification if another programm wants to change something – ThexBasic Jul 30 '14 at 22:03
  • @ThexBasic If you don't use permissions, then you can't limit access to specific files. The files will still be modifiable, and you'll only get notifications (through `FileSystemWatcher`, as you said). – Jashaszun Jul 30 '14 at 22:18
  • FileSystemWatcher will notify you **after** the fact, so you can't use it to suppress/cancel actions. You would need to establish hooks for file I/O-related WINAPI functions - yes, this would involve some P/Invoke shenanigans. (see [here](http://stackoverflow.com/questions/19270790/windows-how-to-intercept-win32-disk-i-o-api) for some links and comments regarding some native(!) libraries that make hooking somewhat easier). Do you really want to do this? –  Jul 30 '14 at 22:19
  • @elgonzo yes thanks, thats exactly what I was searching for. Ill test around a little bit and post it, if i found a solution – ThexBasic Jul 30 '14 at 22:26
  • Also, look at the link provided in Bill's answer regarding intercepts in .NET. It will lead you to a .NET library (EasyHook) for WINAPI hooking from within C#. Definitely worth a look and a try before experimenting with P/Invoke yourself... –  Jul 30 '14 at 22:35
  • You can stay with .NET by using our CallbackFilter product -- it IS a filesystem filter driver that lets you intercept requests before they happen. Your code will work in user-mode (so no need to write a driver yourself). – Eugene Mayevski 'Callback Aug 01 '14 at 14:09

1 Answers1

1

As you've stated, you can already see what happens after the fact that something has been done to a file. To my knowledge, you can't preempt file system access from .Net as this is happening on a much lower layer (right above storage). If you are trying to ensure security, you are better off focusing on NTFS/Share level security (standard permissions like Blorgbeard said).

If you really want to intercept file system calls, a file system filter driver may be what you're after but it looks very difficult.

Into to the concept: http://msdn.microsoft.com/en-us/library/windows/hardware/dn641617

Another SO answer restating the same thing (which I based the above link on): How to intercept the access to a file in a .NET Program

Alternatively, you can tailor your security app to enumerate the security settings on files/folders as a preventative measure to ensure the proper file system security settings are in place, or take corrective action if they are not. You can use the FileSecurity class to get an idea of what is available to you (quite a bit!): http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesecurity(v=vs.110).aspx

If you want to go the audit route and get stuck on using the FileSecurity and/or DirectorySecurity class, I would post a separate question and we can tackle that.

EDIT: Some actual code on writing the filter driver, if you are so inclined (beware, no .net): http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial

Community
  • 1
  • 1
Bill Sambrone
  • 4,334
  • 4
  • 48
  • 70
  • Thank you, this actually helped alot. There may be easier ways to do so, but i think I'll take a look at the Filter-driver-tutorial. – ThexBasic Aug 01 '14 at 02:49