Minifilter Attach to a Virtual Device

I developed a minifilter file filter driver.

But when i want to attach to a Virtual Device (Not real hard disk just a partition create by a driver) minifilter cant attach to this drive.

When i use legacy driver try to attach that it success.

so how could i attatch a virtual Device or virtual drive when i use minifitler driver?

ps. The Virtual Drive’s Name was NDrive developed by Naver.

Would you be so kind as to give us a bit more information about this
“partition create by driver” and what exactly do you mean by can’t attach
to this drive.
I am talking about error codes, methods used to attach. Is the partition
you are talking about an actual volume ? Is there a filesystem there or not
( although it should not matter ) ?

Gabriel
www.kasardia.com

On Fri, Jun 24, 2016 at 9:55 AM, wrote:

> I developed a minifilter file filter driver.
>
> But when i want to attach to a Virtual Device (Not real hard disk just a
> partition create by a driver) minifilter cant attach to this drive.
>
> When i use legacy driver try to attach that it success.
>
> so how could i attatch a virtual Device or virtual drive when i use
> minifitler driver?
>
> ps. The Virtual Drive’s Name was NDrive developed by Naver.
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:>

Thank you for your answer!

The following link is the image about the drive.

https://www.google.co.kr/search?q=dropbox+drive&client=firefox-b-ab&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjwv8zj9sbNAhUGFJQKHVQWCKoQ_AUICCgB&biw=824&bih=811#tbm=isch&q=ndrive+n:&imgrc=mGyc5LFeEW6luM%3A

It’s a volume but not in hard disk.

\FileSystem\NDrive(1.0.2.3)

\Device\ndrivef1

\Device\NDrive(1.0.2.3)1

\Device\NDrive(1.0.2.3)
DriverTree print the information like that.

When i create or open a file i cant catch any IRP in this volume.

const FLT_CONTEXT_REGISTRATION Contexts = {

{ FLT_VOLUME_CONTEXT,
0,
CleanupVolumeContext,
sizeof(VOLUME_CONTEXT),
‘xcBr’ },

{ FLT_CONTEXT_END }
};

CONST FLT_REGISTRATION FilterRegistration = {

sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags

Contexts, // Context
Callbacks, // Operation callbacks

NetworkMiniFilterUnload, // MiniFilterUnload

NetworkMiniFilterInstanceSetup, // InstanceSetup
//NULL,
NetworkMiniFilterInstanceQueryTeardown, // InstanceQueryTeardown
NetworkMiniFilterInstanceTeardownStart, // InstanceTeardownStart
NetworkMiniFilterInstanceTeardownComplete, // InstanceTeardownComplete

NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent

};

Yes, thanks for the nice photo, but you still have not answered my question
to be able to help you more.
Do you have an error while calling any of the
FltRegisterFilter/StartFiltering ?
Is your NetworkMiniFilterInstanceSetup being called ? And if yes do you see
that FS there ( during all of the instance attaches) ? If you do see it and
return success, you do not see any requests incoming, or you do not see the
instance setup being called at all ?
If you type fltmc in a admin CMD do you see any other standard minifilters
attached to this FS ?
Did you use filespy with the minifilter and try to attach and see any sort
of activity there ?
If it works with a legacy filter to attach it most certainly should work
with a minifilter because the filter manager uses the same basic APIs to
enumerate/attach its minifilters to different registered FSs.
Make sure you do not by some other component in your driver deny access to
your registry key, mainly what is under \Instances because
this way the filter manager will not call your instance attach, but I guess
this should be
common sense. I had to say this because I assumed you might have a
self-protection of your reg keys, and by this you would just stand in your
own way.

After you provide us with some more explicit information on what is actually
not working then we could dive deeper. You have to understand that not
everybody has the time to go get that FS install it and try it out and play
with it so your explanation has to be very crisp,
and precise so maybe someone can spot something wrong.

Regards,
Gabriel
www.kasardia.com
Windows Kernel Driver Consultant

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, 27 June, 2016 02:36
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Minifilter Attach to a Virtual Device

Thank you for your answer!

The following link is the image about the drive.

https://www.google.co.kr/search?q=dropbox+drive&amp;client=firefox-b-ab&amp;source=l
nms&tbm=isch&sa=X&ved=0ahUKEwjwv8zj9sbNAhUGFJQKHVQWCKoQ_AUICCgB&biw=824&bih=
811#tbm=isch&q=ndrive+n:&imgrc=mGyc5LFeEW6luM%3A

It’s a volume but not in hard disk.

\FileSystem\NDrive(1.0.2.3)

\Device\ndrivef1

\Device\NDrive(1.0.2.3)1

\Device\NDrive(1.0.2.3)
DriverTree print the information like that.

When i create or open a file i cant catch any IRP in this volume.

const FLT_CONTEXT_REGISTRATION Contexts = {

{ FLT_VOLUME_CONTEXT,
0,
CleanupVolumeContext,
sizeof(VOLUME_CONTEXT),
‘xcBr’ },

{ FLT_CONTEXT_END }
};

CONST FLT_REGISTRATION FilterRegistration = {

sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags

Contexts, // Context
Callbacks, // Operation callbacks

NetworkMiniFilterUnload, // MiniFilterUnload

NetworkMiniFilterInstanceSetup, // InstanceSetup
//NULL,
NetworkMiniFilterInstanceQueryTeardown, //
InstanceQueryTeardown
NetworkMiniFilterInstanceTeardownStart, //
InstanceTeardownStart
NetworkMiniFilterInstanceTeardownComplete, //
InstanceTeardownComplete

NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent

};


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>

Thanks, Gabriel!

  1. When i called the FltRegisterFilter and StartFiltering, the return code
    was Success.

2.Normal Drive like C: D: was attached by my minifilter and I can catch the
IRP except N drive(Virtual Drive).

3.Type fltmc cant see this FS.

4.In legacy i used IoAttachDeviceToDeviceStack API to attach the Volume but
in minifilter it not working.

5.I used Fltattch api but it doesnot work . When i use
FltGetVolumeFromFileObject
the return code was STATUS_INVALID_PARAMETER.

so i don’t know what can I do now , I need your help to resolve this
problem. If you wanna more information just tell me.

Thank you !

2016-07-08 23:15 GMT+09:00 Gabriel Bercea :

> Yes, thanks for the nice photo, but you still have not answered my question
> to be able to help you more.
> Do you have an error while calling any of the
> FltRegisterFilter/StartFiltering ?
> Is your NetworkMiniFilterInstanceSetup being called ? And if yes do you see
> that FS there ( during all of the instance attaches) ? If you do see it and
> return success, you do not see any requests incoming, or you do not see the
> instance setup being called at all ?
> If you type fltmc in a admin CMD do you see any other standard minifilters
> attached to this FS ?
> Did you use filespy with the minifilter and try to attach and see any sort
> of activity there ?
> If it works with a legacy filter to attach it most certainly should work
> with a minifilter because the filter manager uses the same basic APIs to
> enumerate/attach its minifilters to different registered FSs.
> Make sure you do not by some other component in your driver deny access to
> your registry key, mainly what is under \Instances because
> this way the filter manager will not call your instance attach, but I guess
> this should be
> common sense. I had to say this because I assumed you might have a
> self-protection of your reg keys, and by this you would just stand in your
> own way.
>
> After you provide us with some more explicit information on what is
> actually
> not working then we could dive deeper. You have to understand that not
> everybody has the time to go get that FS install it and try it out and play
> with it so your explanation has to be very crisp,
> and precise so maybe someone can spot something wrong.
>
> Regards,
> Gabriel
> www.kasardia.com
> Windows Kernel Driver Consultant
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Monday, 27 June, 2016 02:36
> To: Windows File Systems Devs Interest List
> Subject: RE:[ntfsd] Minifilter Attach to a Virtual Device
>
> Thank you for your answer!
>
> The following link is the image about the drive.
>
>
> https://www.google.co.kr/search?q=dropbox+drive&amp;client=firefox-b-ab&amp;source=l
>
> nms&tbm=isch&sa=X&ved=0ahUKEwjwv8zj9sbNAhUGFJQKHVQWCKoQ_AUICCgB&biw=824&bih=
> 811#tbm=isch&q=ndrive+n:&imgrc=mGyc5LFeEW6luM%3A
>
> It’s a volume but not in hard disk.
>
> \FileSystem\NDrive(1.0.2.3)
>
> \Device\ndrivef1
>
> \Device\NDrive(1.0.2.3)1
>
> \Device\NDrive(1.0.2.3)
> DriverTree print the information like that.
>
> When i create or open a file i cant catch any IRP in this volume.
>
>
> const FLT_CONTEXT_REGISTRATION Contexts = {
>
> { FLT_VOLUME_CONTEXT,
> 0,
> CleanupVolumeContext,
> sizeof(VOLUME_CONTEXT),
> ‘xcBr’ },
>
> { FLT_CONTEXT_END }
> };
>
> CONST FLT_REGISTRATION FilterRegistration = {
>
> sizeof(FLT_REGISTRATION), // Size
> FLT_REGISTRATION_VERSION, // Version
> 0, // Flags
>
> Contexts, // Context
> Callbacks, // Operation callbacks
>
> NetworkMiniFilterUnload, // MiniFilterUnload
>
> NetworkMiniFilterInstanceSetup, // InstanceSetup
> //NULL,
> NetworkMiniFilterInstanceQueryTeardown, //
> InstanceQueryTeardown
> NetworkMiniFilterInstanceTeardownStart, //
> InstanceTeardownStart
> NetworkMiniFilterInstanceTeardownComplete, //
> InstanceTeardownComplete
>
> NULL, // GenerateFileName
> NULL, // GenerateDestinationFileName
> NULL // NormalizeNameComponent
>
> };
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:>