I wonder whether anyone might be able to advise me on how I can go
about detecting oplock requests in my minifilter.
So far I have tried the following two approaches.
Firstly, in my pre-create handler I am checking :
Data->Iopb->Parameters.Create.Options & FILE_RESERVE_OPFILTER
as per the MSDN documentation on IRP_MJ_CREATE. Note that I'm
building for an XP box, so FILE_OPEN_REQUIRING_OPLOCK which is
supported in Windows 7 and above isn't immediately relevant.
Secondly, in my pre-fsctl handler I am checking for IRPs in which
Data->Iopb->Parameters.FileSystemControl.Common.FsControlCode is one
of FSCTL_REQUEST_FILTER_OPLOCK, FSCTL_REQUEST_BATCH_OPLOCK,
FSCTL_REQUEST_OPLOCK_LEVEL_1 or FSCTL_REQUEST_OPLOCK_LEVEL_2. For
these IRP, I then make a call to FltRequestOperationStatusCallback()
as per the WinDDK passthru sample.
To test this code I am using Excel to open a file on a CIFS network
share. Examination of the traffic on the wire using Wireshark shows
that the client PC is making oplock requests using the SMB Locking
AndX command, however my driver doesn't detect these requests using
either of the mechanisms described above.
Is there another mechanism for oplock requests that I have missed out ?
Alternatively, is it possible that the CIFS filesystem driver is
making the oplock requests on behalf of the userspace code rather than
userspace making the requests itself (thereby bypassing my minifilter)
If anyone can shed any light on this subject I'd be most grateful.
The worst moment for the atheist is when he is really thankful and has
nobody to thank /Rossetti/