0

I'm using minifilter scanner program. The flow of the process is as follow: 1. The program reads the file content with FltReadFile function and stores into Buffer. 2. The program sends the Buffer to user mode. 3. The user mode checks for file content and send a block in case required.

I'm trying to read the file header but unable to do so. I think the FltReadFile is sending me only the content and not the Header which I need in order to check it's signature. Signature is a Hex number with an offset which locates in the file itself.

https://en.wikipedia.org/wiki/List_of_file_signatures

My Goal is to read that signature, identify and block access if I want so.

Thanks for your help.

user3449011
  • 37
  • 5
  • "I think the FltReadFile is sending me only the content and not the Header" - file Header this is what ? he is separate from file "content" ?! :) – RbMm Dec 25 '16 at 19:09
  • 2
    A file is just a sequence of bytes as far as the file system is concerned, the FltReadFile() function doesn't even know the difference between the header and the content so there's no way it can be sending you "only the content". The actual problem is a bug in your code, you need to examine it more closely. – Harry Johnston Dec 25 '16 at 19:37
  • @HarryJohnston - I think I'm reading the buffer wrong. How can I check if the buffer contains, for example, the pattern 89 50 4E 47 0D 0A 1A 0A in hex? – user3449011 Dec 25 '16 at 19:58
  • That would depend on what language you're programming in. But it ought to be trivial, something like `if (buffer[0] == 0x89 && buffer[1] == 0x50 ...` (though if you're stuck on that, I'm afraid a filter driver might be a bit ambitious...) – Harry Johnston Dec 25 '16 at 20:56
  • @HarryJohnston - My problem was that my driver did not send all the calls which cause missing the files I require. Thanks for the help! you are awesome! – user3449011 Dec 25 '16 at 21:46
  • How does your driver decide which file to read for fltReadFile. – Digvijay Rathore Aug 01 '17 at 12:15
  • ***The signature*** is part of the file contents and is there for sure. Make sure you are parsing it correctly or reading it correctly. Paste a code snippet and let's see how you are doing the Reading/Sending to User-Mode part. Also it would not hurt to see how do you receive the data as well in user-mode and how you attempt to parse it. – Gabriel Bercea Jan 29 '18 at 15:40

0 Answers0