Intercept file\folder I\O without API hooking or filter driver

Question

I need to write a program to show a password window when user tries to access a file or folder in c++ for win XP & win 7 (for both 32bit and 64bit). But the difficult part is that I cannot use IAT \ EAT or inline hooking for this task as it is required to use a bit Microsoft supported method for this project.

While googling for this, it was also mentioned in many forums that this can be accomplished using a file system filter driver but I am wondering how I show a password dialog from a mini driver.

I think a shell extension could do this job, but msdn documentations shows that shell extension cannot be used to intercept I/O call.

Please advice, thanks in advance.

Answer 1

You do need kernel driver to achieve that. Shell hooks and extensions are only activated when file is accessed via shell (e.g. clicked on in Windows Explorer), and won't fire if file is accessed directly by other programs.

I had similar challenge when working on on-access anti-virus.

But like @selbie said, the driver code itself can't handle any interactive prompts - it must communicate to user-mode code to achieve that. That can be standalone app, or your DLL auto-loaded into every process. In my case, if user response was necessary, we had the driver and user-mode app communicating via pipes - the driver would pipe the message to user-mode app (if it was active) and then wait for response. The app issued a prompt and piped response back to the driver.

The subject of file I/O hooking was also discussed in earlier thread here.