Re[2]: How to detect if callbacks already called beforefor this I/O?

NTFSD
1

You would not want to allocate a ‘stream handle’ context, this is a
context allocated for each handle associated to a file. Instead, based
on your requirements so far, you will want a ‘stream context’. So when
you call FltAllocateContext() you specify a FLT_STREAM_CONTEXT. This
will allocate 1 context for a given file or directory, independent of
how many times it is opened. There is plenty of documentation on the
differences here.

Yes, post read callback for non-cached (including paging) IO. You will
know the offset because it is part of the information provided for the
read so if you know the offset from your application, then you will know
if this read contains it. But I feel you have a catch 22 here … if
your application is going to read the file to determine where the offset
of the KOKO string is but your filter is going to modify the content,
then it is possible your application will pull the KOKO string into the
system cache, depending on how the IO is issued. There are some issues
here you need to consider in terms of how your application is operating.

That said, if your user mode application is just scanning the content of
the file for the KOKO string to determine the offset, then why not just
have your filter driver scan the read buffers for the KOKO string and
perform a replacement of it? Of course this will impact performance but
at this point it sounds like you just want to get a PoC in place?

You will also need to handle pre-write, again non-cached, so the KOKO
can be updated with KEKE before getting written to disk.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Bekir Karul”
To: “Windows File Systems Devs Interest List”
Sent: 5/3/2017 9:57:00 AM
Subject: Re: [ntfsd] How to detect if callbacks already called beforefor
this I/O?

>Hello Pete,
>
>Thank you very much for your reply.
>
>So I assume that checking for if this file already have a stream
>handle context would be enough in post-create. If it is already have
>one, so I don’t need to ask user mode for string offset again.
>
>I’m not sure if I could clearly tell what I’m trying to do. So let me
>give another example. Think that there is a file named “bpe.bbdk”. This
>file have a “KOKO” string somewhere inside it. If I open this file with
>my application, my application sees that “KOKO” string in file and pop
>up a message box and says “Heey! I got KOKO”. This string can be
>anywhere on file. So that is why I’m asking to user mode application
>for detect where it is exactly. Then, my mini-filter will use this
>offset, and catch when this offset is read. At the moment it catch it,
>it will modify read buffer (at least I hope so) and change “KOKO” to
>"KEKE.
>
>So we can say that if my mini-filter is installed on system, there will
>be no message box because mini-filter will change that string. But if
>there is no mini-filter, my application will see “KOKO” and pop up
>message box.
>
>I thought that I can modify read buffer in post-read callback. Pete, am
>I right about that? Can I see read buffer in post-read callback, and
>change it as I wanted?
>
>If so, how it can be possible to catch when that exact offset is
>reading?
>
>Thank you again for spending your valuable time with answering my
>questions.
>
>Best regards…
>
>03.05.2017, 18:35, “PScott” :
>>
>>1) Assuming you are creating a stream context, then your call to
>>FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if
>>you have not created a context for the given file yet. Here you would
>>initialize and insert the stream context.
>>
>>2) You probably want to handle all non-cached (including paging here
>>of course) read/write requests. For the read processing, you would
>>modify the data in post-read to return the ‘KEKE’ string. For write
>>requests, you would handle the data in pre-write, ensuring that the
>>‘KOKO’ is stored on disk.
>>
>>3) Doing as prescribed in 2), the cache would contain the ‘KEKE’
>>string but on disk it would always contain ‘KOKO’.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>www.KernelDrivers.com
>>866.263.9295
>>
>>
>>
>>------ Original Message ------
>>From: “Bekir Karul”
>>To: “Windows File Systems Devs Interest List”
>>Sent: 5/3/2017 8:58:21 AM
>>Subject: [ntfsd] How to detect if callbacks already called beforefor
>>this I/O?
>>
>>>Hello there!
>>>
>>>I’m working on a mini-filter driver which changes a same size value
>>>in my application spesific file. Let me explain what I’m trying to
>>>archieve a bit. My user-mode application uses some files for handling
>>>it’s own data. This files have a extension “bbkd”. In these “bbkd”
>>>files, I have a fixed size string about this file. Let say it is
>>>“KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any
>>>application only in memory. So it will still same on disk. So I
>>>tought that It would be fine if I can catch this read and change
>>>“KOKO” to “KEKE”.
>>>
>>>For this reason, I’ve registered both pre create, post create and
>>>post read callbacks. In pre-create callback, I check file extension,
>>>if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create
>>>callback catchs this I/O operation. In post-create callback, I send a
>>>message to my user-mode application and ask for “Hey, where that
>>>spesific string is stored? Please return me it’s offset”. She returns
>>>offset value to me and I create a stream handle context and store
>>>that offset value in there.
>>>
>>>OK, Here is where I stuck, and I have three question.
>>>
>>>1-) As far as I can see I’ve got several pre-create callback for my
>>>“hello.bbdk” file. But I guess only one of them is enough for getting
>>>offset value. What can I do about this? Hmm, can I test if this file
>>>already have a context, if so I pass it, if not so I need to handle
>>>it again?
>>>2-) Is post-write is right place for changing “KOKO” to “KEKE”? If
>>>so, what kind of a way I should follow?
>>>3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read,
>>>so it does not have to be written to file. So what about cache? Is
>>>anything can go wrong with cache in this situation?
>>>
>>>Best regards…
>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>analysis, WDF, Windows internals and software drivers! Details at To
>>>unsubscribe, visit the List Server section of OSR Online at
>>
>>—
>>NTFSD is sponsored by OSR
>>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at</http:></http:>

2

That is my bad. I did not carefully read context section in msdn. Thank you for clarifying that.

 

Oh, that cache thing is a serious problem. I did not notice it…

 

My user mode application surely read that file, the API I used for finding that offset value, depends on user-mode library. This is the reason I’m sending a message to user-mode for finding offset. But as you said, that is possible (or for sure) operating system can pull “KOKO” to system cache :frowning:

 

Hmm. Looks like it is also possible that my mini-filter will catch my user-mode application read I/O too! So, looks like there can be a deadlock?? Because my mini-filter will wait response from user-mode application. But at the moment my user mode application also waits for read operation finish?! I need to ignore my process I guess. What about to check process in post-read callback? So if the process is my application, simply my mini-filter ignore it.

 

But I’m not sure about what I should do about first situation. Is there a way for manually doing cache flushing for my file? Or can you please suggest me something about this?

 

Yes, we can say that I’m trying to create a PoC. I guess I can search read buffer in kernel-mode as you said, but in near future it can be a problem for me and of course as I said before, my library works only in user-mode. I must send message to user-mode for getting that offset :frowning:

 

In the beginning I really thought that it will be very easy. But I seeing that how things gets complicated in kernel-mode in a minute…

 

Best regards and thank you Pete. Your answers is really valuable for me.
 

 

03.05.2017, 19:12, “PScott” :

 

You would not want to allocate a ‘stream handle’ context, this is a context allocated for each handle associated to a file. Instead, based on your requirements so far, you will want a ‘stream context’. So when you call FltAllocateContext() you specify a FLT_STREAM_CONTEXT. This will allocate 1 context for a given file or directory, independent of how many times it is opened. There is plenty of documentation on the differences here.

 

Yes, post read callback for non-cached (including paging) IO. You will know the offset because it is part of the information provided for the read so if you know the offset from your application, then you will know if this read contains it. But I feel you have a catch 22 here … if your application is going to read the file to determine where the offset of the KOKO string is but your filter is going to modify the content, then it is possible your application will pull the KOKO string into the system cache, depending on how the IO is issued. There are some issues here you need to consider in terms of how your application is operating.

 

That said, if your user mode application is just scanning the content of the file for the KOKO string to determine the offset, then why not just have your filter driver scan the read buffers for the KOKO string and perform a replacement of it? Of course this will impact performance but at this point it sounds like you just want to get a PoC in place?

 

You will also need to handle pre-write, again non-cached, so the KOKO can be updated with KEKE before getting written to disk.

 

Pete

 

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

 

 

 

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 9:57:00 AM

Subject: Re: [ntfsd] How to detect if callbacks already called beforefor this I/O?

 

Hello Pete,

Thank you very much for your reply.

 

So I assume that checking for if this file already have a **stream handle** context would be enough in post-create. If it is already have one, so I don’t need to ask user mode for string offset again.

 

I’m not sure if I could clearly tell what I’m trying to do. So let me give another example. Think that there is a file named “bpe.bbdk”. This file have a “KOKO” string somewhere inside it. If I open this file with my application, my application sees that “KOKO” string in file and pop up a message box and says “Heey! I got KOKO”. This string can be anywhere on file. So that is why I’m asking to user mode application for detect where it is exactly. Then, my mini-filter will use this offset, and catch when this offset is read. At the moment it catch it, it will modify read buffer (at least I hope so) and change “KOKO” to "KEKE.

 

So we can say that if my mini-filter is installed on system, there will be no message box because mini-filter will change that string. But if there is no mini-filter, my application will see “KOKO” and pop up message box.

 

I thought that I can modify read buffer in post-read callback. Pete, am I right about that? Can I see read buffer in post-read callback, and change it as I wanted?

 

If so, how it can be possible to catch when that exact offset is reading?

 

Thank you again for spending your valuable time with answering my questions.

Best regards…

 

03.05.2017, 18:35, “PScott” <xxxxx@kerneldrivers.com>:

 

  1. Assuming you are creating a stream context, then your call to FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if you have not created a context for the given file yet. Here you would initialize and insert the stream context.

 

  1. You probably want to handle all non-cached (including paging here of course) read/write requests. For the read processing, you would modify the data in post-read to return the ‘KEKE’ string. For write requests, you would handle the data in pre-write, ensuring that the ‘KOKO’ is stored on disk.

 

  1. Doing as prescribed in 2), the cache would contain the ‘KEKE’ string but on disk it would always contain ‘KOKO’.

 

Pete

 

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

 

 

 

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 8:58:21 AM

Subject: [ntfsd] How to detect if callbacks already called beforefor this I/O?

 

Hello there!

I’m working on a mini-filter driver which changes a same size value in my application spesific file. Let me explain what I’m trying to archieve a bit. My user-mode application uses some files for handling it’s own data. This files have a extension “bbkd”. In these “bbkd” files, I have a fixed size string about this file. Let say it is “KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any application only in memory. So it will still same on disk. So I tought that It would be fine if I can catch this read and change “KOKO” to “KEKE”.

 

For this reason, I’ve registered both pre create, post create and post read callbacks. In pre-create callback, I check file extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create callback catchs this I/O operation. In post-create callback, I send a message to my user-mode application and ask for “Hey, where that spesific string is stored? Please return me it’s offset”. She returns offset value to me and I create a stream handle context and store that offset value in there.

OK, Here is where I stuck, and I have three question.

 

1-) As far as I can see I’ve got several pre-create callback for my “hello.bbdk” file. But I guess only one of them is enough for getting offset value. What can I do about this? Hmm, can I test if this file already have a context, if so I pass it, if not so I need to handle it again?

2-) Is post-write is right place for changing “KOKO” to “KEKE”? If so, what kind of a way I should follow?

3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read, so it does not have to be written to file. So what about cache? Is anything can go wrong with cache in this situation?

Best regards…
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>

— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>

3

You could ‘register’ your user mode service with the driver and ignore
IO requests from it.

To avoid the cache issue, you can issue the IO requests as non-cached
read requests. Except for compressed volumes, this will by-pass the
cache and retrieve the content directly from disk. That said, there
could be locking issues when interacting with an AV product but you’ll
find these out soon enough.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Bekir Karul”
To: “Windows File Systems Devs Interest List”
Sent: 5/3/2017 10:30:52 AM
Subject: Re: [ntfsd] How to detect if callbacks already called beforefor
this I/O?

>That is my bad. I did not carefully read context section in msdn. Thank
>you for clarifying that.
>
>Oh, that cache thing is a serious problem. I did not notice it…
>
>My user mode application surely read that file, the API I used for
>finding that offset value, depends on user-mode library. This is the
>reason I’m sending a message to user-mode for finding offset. But as
>you said, that is possible (or for sure) operating system can pull
>“KOKO” to system cache :frowning:
>
>Hmm. Looks like it is also possible that my mini-filter will catch my
>user-mode application read I/O too! So, looks like there can be a
>deadlock?? Because my mini-filter will wait response from user-mode
>application. But at the moment my user mode application also waits for
>read operation finish?! I need to ignore my process I guess. What about
>to check process in post-read callback? So if the process is my
>application, simply my mini-filter ignore it.
>
>But I’m not sure about what I should do about first situation. Is there
>a way for manually doing cache flushing for my file? Or can you please
>suggest me something about this?
>
>Yes, we can say that I’m trying to create a PoC. I guess I can search
>read buffer in kernel-mode as you said, but in near future it can be a
>problem for me and of course as I said before, my library works only in
>user-mode. I must send message to user-mode for getting that offset :frowning:
>
>In the beginning I really thought that it will be very easy. But I
>seeing that how things gets complicated in kernel-mode in a minute…
>
>Best regards and thank you Pete. Your answers is really valuable for
>me.
>
>
>03.05.2017, 19:12, “PScott” :
>>
>>You would not want to allocate a ‘stream handle’ context, this is a
>>context allocated for each handle associated to a file. Instead, based
>>on your requirements so far, you will want a ‘stream context’. So when
>>you call FltAllocateContext() you specify a FLT_STREAM_CONTEXT. This
>>will allocate 1 context for a given file or directory, independent of
>>how many times it is opened. There is plenty of documentation on the
>>differences here.
>>
>>Yes, post read callback for non-cached (including paging) IO. You will
>>know the offset because it is part of the information provided for the
>>read so if you know the offset from your application, then you will
>>know if this read contains it. But I feel you have a catch 22 here …
>>if your application is going to read the file to determine where the
>>offset of the KOKO string is but your filter is going to modify the
>>content, then it is possible your application will pull the KOKO
>>string into the system cache, depending on how the IO is issued. There
>>are some issues here you need to consider in terms of how your
>>application is operating.
>>
>>That said, if your user mode application is just scanning the content
>>of the file for the KOKO string to determine the offset, then why not
>>just have your filter driver scan the read buffers for the KOKO string
>>and perform a replacement of it? Of course this will impact
>>performance but at this point it sounds like you just want to get a
>>PoC in place?
>>
>>You will also need to handle pre-write, again non-cached, so the KOKO
>>can be updated with KEKE before getting written to disk.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>www.KernelDrivers.com
>>866.263.9295
>>
>>
>>
>>------ Original Message ------
>>From: “Bekir Karul”
>>To: “Windows File Systems Devs Interest List”
>>Sent: 5/3/2017 9:57:00 AM
>>Subject: Re: [ntfsd] How to detect if callbacks already called
>>beforefor this I/O?
>>
>>>Hello Pete,
>>>
>>>Thank you very much for your reply.
>>>
>>>So I assume that checking for if this file already have a stream
>>>handle context would be enough in post-create. If it is already
>>>have one, so I don’t need to ask user mode for string offset again.
>>>
>>>I’m not sure if I could clearly tell what I’m trying to do. So let me
>>>give another example. Think that there is a file named “bpe.bbdk”.
>>>This file have a “KOKO” string somewhere inside it. If I open this
>>>file with my application, my application sees that “KOKO” string in
>>>file and pop up a message box and says “Heey! I got KOKO”. This
>>>string can be anywhere on file. So that is why I’m asking to user
>>>mode application for detect where it is exactly. Then, my mini-filter
>>>will use this offset, and catch when this offset is read. At the
>>>moment it catch it, it will modify read buffer (at least I hope so)
>>>and change “KOKO” to "KEKE.
>>>
>>>So we can say that if my mini-filter is installed on system, there
>>>will be no message box because mini-filter will change that string.
>>>But if there is no mini-filter, my application will see “KOKO” and
>>>pop up message box.
>>>
>>>I thought that I can modify read buffer in post-read callback. Pete,
>>>am I right about that? Can I see read buffer in post-read callback,
>>>and change it as I wanted?
>>>
>>>If so, how it can be possible to catch when that exact offset is
>>>reading?
>>>
>>>Thank you again for spending your valuable time with answering my
>>>questions.
>>>
>>>Best regards…
>>>
>>>03.05.2017, 18:35, “PScott” :
>>>>
>>>>1) Assuming you are creating a stream context, then your call to
>>>>FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if
>>>>you have not created a context for the given file yet. Here you
>>>>would initialize and insert the stream context.
>>>>
>>>>2) You probably want to handle all non-cached (including paging here
>>>>of course) read/write requests. For the read processing, you would
>>>>modify the data in post-read to return the ‘KEKE’ string. For write
>>>>requests, you would handle the data in pre-write, ensuring that the
>>>>‘KOKO’ is stored on disk.
>>>>
>>>>3) Doing as prescribed in 2), the cache would contain the ‘KEKE’
>>>>string but on disk it would always contain ‘KOKO’.
>>>>
>>>>Pete
>>>>
>>>>–
>>>>Kernel Drivers
>>>>Windows File System and Device Driver Consulting
>>>>www.KernelDrivers.com
>>>>866.263.9295
>>>>
>>>>
>>>>
>>>>------ Original Message ------
>>>>From: “Bekir Karul”
>>>>To: “Windows File Systems Devs Interest List”
>>>>Sent: 5/3/2017 8:58:21 AM
>>>>Subject: [ntfsd] How to detect if callbacks already called beforefor
>>>>this I/O?
>>>>
>>>>>Hello there!
>>>>>
>>>>>I’m working on a mini-filter driver which changes a same size value
>>>>>in my application spesific file. Let me explain what I’m trying to
>>>>>archieve a bit. My user-mode application uses some files for
>>>>>handling it’s own data. This files have a extension “bbkd”. In
>>>>>these “bbkd” files, I have a fixed size string about this file. Let
>>>>>say it is “KOKO”. I want to make this “KOKO” to “KEKE” when it
>>>>>reads by any application only in memory. So it will still same on
>>>>>disk. So I tought that It would be fine if I can catch this read
>>>>>and change “KOKO” to “KEKE”.
>>>>>
>>>>>For this reason, I’ve registered both pre create, post create and
>>>>>post read callbacks. In pre-create callback, I check file
>>>>>extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my
>>>>>post-create callback catchs this I/O operation. In post-create
>>>>>callback, I send a message to my user-mode application and ask for
>>>>>“Hey, where that spesific string is stored? Please return me it’s
>>>>>offset”. She returns offset value to me and I create a stream
>>>>>handle context and store that offset value in there.
>>>>>
>>>>>OK, Here is where I stuck, and I have three question.
>>>>>
>>>>>1-) As far as I can see I’ve got several pre-create callback for my
>>>>>“hello.bbdk” file. But I guess only one of them is enough for
>>>>>getting offset value. What can I do about this? Hmm, can I test if
>>>>>this file already have a context, if so I pass it, if not so I need
>>>>>to handle it again?
>>>>>2-) Is post-write is right place for changing “KOKO” to “KEKE”? If
>>>>>so, what kind of a way I should follow?
>>>>>3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read,
>>>>>so it does not have to be written to file. So what about cache? Is
>>>>>anything can go wrong with cache in this situation?
>>>>>
>>>>>Best regards…
>>>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>>>analysis, WDF, Windows internals and software drivers! Details at
>>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>
>>>>—
>>>>NTFSD is sponsored by OSR
>>>>
>>>>
>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>software drivers!
>>>>Details at http:
>>>>
>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>http:
>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>analysis, WDF, Windows internals and software drivers! Details at To
>>>unsubscribe, visit the List Server section of OSR Online at
>>
>>—
>>NTFSD is sponsored by OSR
>>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at</http:></http:></http:></http:>

4

Thank you very much Pete. I’ve solved cache issue with your suggestion. And also I used my process object in callbacks so application bypasses my mini-filter successfully.

 

There is only one question left. How can I understand that last handle opened by my application to my xxx.bbdk file is closed in IRP_MJ_CLOSE? Is it possible? I’ve getting several IRP_MJ_CLOSE callback in my minifilter but I want to make sure my application is really finished with file. So I tought I need to check if this close callback is last one. Is there a way for accomplish this?

Best regards…

04.05.2017, 00:54, “PScott” :

You could ‘register’ your user mode service with the driver and ignore IO requests from it. 

To avoid the cache issue, you can issue the IO requests as non-cached read requests. Except for compressed volumes, this will by-pass the cache and retrieve the content directly from disk. That said, there could be locking issues when interacting with an AV product but you’ll find these out soon enough.

Pete

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 10:30:52 AM

Subject: Re: [ntfsd] How to detect if callbacks already called beforefor this I/O?

That is my bad. I did not carefully read context section in msdn. Thank you for clarifying that.

 

Oh, that cache thing is a serious problem. I did not notice it…

 

My user mode application surely read that file, the API I used for finding that offset value, depends on user-mode library. This is the reason I’m sending a message to user-mode for finding offset. But as you said, that is possible (or for sure) operating system can pull “KOKO” to system cache :frowning:

 

Hmm. Looks like it is also possible that my mini-filter will catch my user-mode application read I/O too! So, looks like there can be a deadlock?? Because my mini-filter will wait response from user-mode application. But at the moment my user mode application also waits for read operation finish?! I need to ignore my process I guess. What about to check process in post-read callback? So if the process is my application, simply my mini-filter ignore it.

 

But I’m not sure about what I should do about first situation. Is there a way for manually doing cache flushing for my file? Or can you please suggest me something about this?

 

Yes, we can say that I’m trying to create a PoC. I guess I can search read buffer in kernel-mode as you said, but in near future it can be a problem for me and of course as I said before, my library works only in user-mode. I must send message to user-mode for getting that offset :frowning:

 

In the beginning I really thought that it will be very easy. But I seeing that how things gets complicated in kernel-mode in a minute…

 

Best regards and thank you Pete. Your answers is really valuable for me.
 

 

03.05.2017, 19:12, “PScott” <xxxxx@kerneldrivers.com>:

 

You would not want to allocate a ‘stream handle’ context, this is a context allocated for each handle associated to a file. Instead, based on your requirements so far, you will want a ‘stream context’. So when you call FltAllocateContext() you specify a FLT_STREAM_CONTEXT. This will allocate 1 context for a given file or directory, independent of how many times it is opened. There is plenty of documentation on the differences here.

 

Yes, post read callback for non-cached (including paging) IO. You will know the offset because it is part of the information provided for the read so if you know the offset from your application, then you will know if this read contains it. But I feel you have a catch 22 here … if your application is going to read the file to determine where the offset of the KOKO string is but your filter is going to modify the content, then it is possible your application will pull the KOKO string into the system cache, depending on how the IO is issued. There are some issues here you need to consider in terms of how your application is operating.

 

That said, if your user mode application is just scanning the content of the file for the KOKO string to determine the offset, then why not just have your filter driver scan the read buffers for the KOKO string and perform a replacement of it? Of course this will impact performance but at this point it sounds like you just want to get a PoC in place?

 

You will also need to handle pre-write, again non-cached, so the KOKO can be updated with KEKE before getting written to disk.

 

Pete

 

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

 

 

 

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 9:57:00 AM

Subject: Re: [ntfsd] How to detect if callbacks already called beforefor this I/O?

 

Hello Pete,

Thank you very much for your reply.

 

So I assume that checking for if this file already have a **stream handle** context would be enough in post-create. If it is already have one, so I don’t need to ask user mode for string offset again.

 

I’m not sure if I could clearly tell what I’m trying to do. So let me give another example. Think that there is a file named “bpe.bbdk”. This file have a “KOKO” string somewhere inside it. If I open this file with my application, my application sees that “KOKO” string in file and pop up a message box and says “Heey! I got KOKO”. This string can be anywhere on file. So that is why I’m asking to user mode application for detect where it is exactly. Then, my mini-filter will use this offset, and catch when this offset is read. At the moment it catch it, it will modify read buffer (at least I hope so) and change “KOKO” to "KEKE.

 

So we can say that if my mini-filter is installed on system, there will be no message box because mini-filter will change that string. But if there is no mini-filter, my application will see “KOKO” and pop up message box.

 

I thought that I can modify read buffer in post-read callback. Pete, am I right about that? Can I see read buffer in post-read callback, and change it as I wanted?

 

If so, how it can be possible to catch when that exact offset is reading?

 

Thank you again for spending your valuable time with answering my questions.

Best regards…

 

03.05.2017, 18:35, “PScott” <xxxxx@kerneldrivers.com>:

 

  1. Assuming you are creating a stream context, then your call to FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if you have not created a context for the given file yet. Here you would initialize and insert the stream context.

 

  1. You probably want to handle all non-cached (including paging here of course) read/write requests. For the read processing, you would modify the data in post-read to return the ‘KEKE’ string. For write requests, you would handle the data in pre-write, ensuring that the ‘KOKO’ is stored on disk.

 

  1. Doing as prescribed in 2), the cache would contain the ‘KEKE’ string but on disk it would always contain ‘KOKO’.

 

Pete

 

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

 

 

 

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 8:58:21 AM

Subject: [ntfsd] How to detect if callbacks already called beforefor this I/O?

 

Hello there!

I’m working on a mini-filter driver which changes a same size value in my application spesific file. Let me explain what I’m trying to archieve a bit. My user-mode application uses some files for handling it’s own data. This files have a extension “bbkd”. In these “bbkd” files, I have a fixed size string about this file. Let say it is “KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any application only in memory. So it will still same on disk. So I tought that It would be fine if I can catch this read and change “KOKO” to “KEKE”.

 

For this reason, I’ve registered both pre create, post create and post read callbacks. In pre-create callback, I check file extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create callback catchs this I/O operation. In post-create callback, I send a message to my user-mode application and ask for “Hey, where that spesific string is stored? Please return me it’s offset”. She returns offset value to me and I create a stream handle context and store that offset value in there.

OK, Here is where I stuck, and I have three question.

 

1-) As far as I can see I’ve got several pre-create callback for my “hello.bbdk” file. But I guess only one of them is enough for getting offset value. What can I do about this? Hmm, can I test if this file already have a context, if so I pass it, if not so I need to handle it again?

2-) Is post-write is right place for changing “KOKO” to “KEKE”? If so, what kind of a way I should follow?

3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read, so it does not have to be written to file. So what about cache? Is anything can go wrong with cache in this situation?

Best regards…
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>

— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at

To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!

Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>

5

What are you trying to figure out by knowing the last handle closed?

When a user application closes a handle you will receive an
IRP_MJ_CLEANUP callback request. When the last reference to the given
file object is closed you receive the CLOSE request. That said, the
close request could be delayed or you may never receive it if the file
is cached by some application because it could be the file object you
are interested in was used to initialize caching on the file. In this
case, not until the system needs to reclaim resources that it would
purge the file from cache resulting in the reference count going to zero
and you seeing the close.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Bekir Karul”
To: “Windows File Systems Devs Interest List”
Sent: 5/4/2017 1:47:58 AM
Subject: Re: [ntfsd] How to detect if callbacks already called beforefor
this I/O?

>Thank you very much Pete. I’ve solved cache issue with your suggestion.
>And also I used my process object in callbacks so application bypasses
>my mini-filter successfully.
>
>There is only one question left. How can I understand that last handle
>opened by my application to my xxx.bbdk file is closed in IRP_MJ_CLOSE?
>Is it possible? I’ve getting several IRP_MJ_CLOSE callback in my
>minifilter but I want to make sure my application is really finished
>with file. So I tought I need to check if this close callback is last
>one. Is there a way for accomplish this?
>
>Best regards…
>
>
>04.05.2017, 00:54, “PScott” :
>>
>>You could ‘register’ your user mode service with the driver and ignore
>>IO requests from it.
>>
>>To avoid the cache issue, you can issue the IO requests as non-cached
>>read requests. Except for compressed volumes, this will by-pass the
>>cache and retrieve the content directly from disk. That said, there
>>could be locking issues when interacting with an AV product but you’ll
>>find these out soon enough.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>www.KernelDrivers.com
>>866.263.9295
>>
>>
>>
>>------ Original Message ------
>>From: “Bekir Karul”
>>To: “Windows File Systems Devs Interest List”
>>Sent: 5/3/2017 10:30:52 AM
>>Subject: Re: [ntfsd] How to detect if callbacks already called
>>beforefor this I/O?
>>
>>>That is my bad. I did not carefully read context section in msdn.
>>>Thank you for clarifying that.
>>>
>>>Oh, that cache thing is a serious problem. I did not notice it…
>>>
>>>My user mode application surely read that file, the API I used for
>>>finding that offset value, depends on user-mode library. This is the
>>>reason I’m sending a message to user-mode for finding offset. But as
>>>you said, that is possible (or for sure) operating system can pull
>>>“KOKO” to system cache :frowning:
>>>
>>>Hmm. Looks like it is also possible that my mini-filter will catch my
>>>user-mode application read I/O too! So, looks like there can be a
>>>deadlock?? Because my mini-filter will wait response from user-mode
>>>application. But at the moment my user mode application also waits
>>>for read operation finish?! I need to ignore my process I guess. What
>>>about to check process in post-read callback? So if the process is my
>>>application, simply my mini-filter ignore it.
>>>
>>>But I’m not sure about what I should do about first situation. Is
>>>there a way for manually doing cache flushing for my file? Or can you
>>>please suggest me something about this?
>>>
>>>Yes, we can say that I’m trying to create a PoC. I guess I can search
>>>read buffer in kernel-mode as you said, but in near future it can be
>>>a problem for me and of course as I said before, my library works
>>>only in user-mode. I must send message to user-mode for getting that
>>>offset :frowning:
>>>
>>>In the beginning I really thought that it will be very easy. But I
>>>seeing that how things gets complicated in kernel-mode in a minute…
>>>
>>>Best regards and thank you Pete. Your answers is really valuable for
>>>me.
>>>
>>>
>>>03.05.2017, 19:12, “PScott” :
>>>>
>>>>You would not want to allocate a ‘stream handle’ context, this is a
>>>>context allocated for each handle associated to a file. Instead,
>>>>based on your requirements so far, you will want a ‘stream context’.
>>>>So when you call FltAllocateContext() you specify a
>>>>FLT_STREAM_CONTEXT. This will allocate 1 context for a given file or
>>>>directory, independent of how many times it is opened. There is
>>>>plenty of documentation on the differences here.
>>>>
>>>>Yes, post read callback for non-cached (including paging) IO. You
>>>>will know the offset because it is part of the information provided
>>>>for the read so if you know the offset from your application, then
>>>>you will know if this read contains it. But I feel you have a catch
>>>>22 here … if your application is going to read the file to
>>>>determine where the offset of the KOKO string is but your filter is
>>>>going to modify the content, then it is possible your application
>>>>will pull the KOKO string into the system cache, depending on how
>>>>the IO is issued. There are some issues here you need to consider in
>>>>terms of how your application is operating.
>>>>
>>>>That said, if your user mode application is just scanning the
>>>>content of the file for the KOKO string to determine the offset,
>>>>then why not just have your filter driver scan the read buffers for
>>>>the KOKO string and perform a replacement of it? Of course this will
>>>>impact performance but at this point it sounds like you just want to
>>>>get a PoC in place?
>>>>
>>>>You will also need to handle pre-write, again non-cached, so the
>>>>KOKO can be updated with KEKE before getting written to disk.
>>>>
>>>>Pete
>>>>
>>>>–
>>>>Kernel Drivers
>>>>Windows File System and Device Driver Consulting
>>>>www.KernelDrivers.com
>>>>866.263.9295
>>>>
>>>>
>>>>
>>>>------ Original Message ------
>>>>From: “Bekir Karul”
>>>>To: “Windows File Systems Devs Interest List”
>>>>Sent: 5/3/2017 9:57:00 AM
>>>>Subject: Re: [ntfsd] How to detect if callbacks already called
>>>>beforefor this I/O?
>>>>
>>>>>Hello Pete,
>>>>>
>>>>>Thank you very much for your reply.
>>>>>
>>>>>So I assume that checking for if this file already have a stream
>>>>>handle context would be enough in post-create. If it is already
>>>>>have one, so I don’t need to ask user mode for string offset again.
>>>>>
>>>>>I’m not sure if I could clearly tell what I’m trying to do. So let
>>>>>me give another example. Think that there is a file named
>>>>>“bpe.bbdk”. This file have a “KOKO” string somewhere inside it. If
>>>>>I open this file with my application, my application sees that
>>>>>“KOKO” string in file and pop up a message box and says “Heey! I
>>>>>got KOKO”. This string can be anywhere on file. So that is why I’m
>>>>>asking to user mode application for detect where it is exactly.
>>>>>Then, my mini-filter will use this offset, and catch when this
>>>>>offset is read. At the moment it catch it, it will modify read
>>>>>buffer (at least I hope so) and change “KOKO” to "KEKE.
>>>>>
>>>>>So we can say that if my mini-filter is installed on system, there
>>>>>will be no message box because mini-filter will change that string.
>>>>>But if there is no mini-filter, my application will see “KOKO” and
>>>>>pop up message box.
>>>>>
>>>>>I thought that I can modify read buffer in post-read callback.
>>>>>Pete, am I right about that? Can I see read buffer in post-read
>>>>>callback, and change it as I wanted?
>>>>>
>>>>>If so, how it can be possible to catch when that exact offset is
>>>>>reading?
>>>>>
>>>>>Thank you again for spending your valuable time with answering my
>>>>>questions.
>>>>>
>>>>>Best regards…
>>>>>
>>>>>03.05.2017, 18:35, “PScott” :
>>>>>>
>>>>>>1) Assuming you are creating a stream context, then your call to
>>>>>>FltGetStreamContext() in post-create will return STATUS_NOT_FOUND
>>>>>>if you have not created a context for the given file yet. Here you
>>>>>>would initialize and insert the stream context.
>>>>>>
>>>>>>2) You probably want to handle all non-cached (including paging
>>>>>>here of course) read/write requests. For the read processing, you
>>>>>>would modify the data in post-read to return the ‘KEKE’ string.
>>>>>>For write requests, you would handle the data in pre-write,
>>>>>>ensuring that the ‘KOKO’ is stored on disk.
>>>>>>
>>>>>>3) Doing as prescribed in 2), the cache would contain the ‘KEKE’
>>>>>>string but on disk it would always contain ‘KOKO’.
>>>>>>
>>>>>>Pete
>>>>>>
>>>>>>–
>>>>>>Kernel Drivers
>>>>>>Windows File System and Device Driver Consulting
>>>>>>www.KernelDrivers.com
>>>>>>866.263.9295
>>>>>>
>>>>>>
>>>>>>
>>>>>>------ Original Message ------
>>>>>>From: “Bekir Karul”
>>>>>>To: “Windows File Systems Devs Interest List”
>>>>>>
>>>>>>Sent: 5/3/2017 8:58:21 AM
>>>>>>Subject: [ntfsd] How to detect if callbacks already called
>>>>>>beforefor this I/O?
>>>>>>
>>>>>>>Hello there!
>>>>>>>
>>>>>>>I’m working on a mini-filter driver which changes a same size
>>>>>>>value in my application spesific file. Let me explain what I’m
>>>>>>>trying to archieve a bit. My user-mode application uses some
>>>>>>>files for handling it’s own data. This files have a extension
>>>>>>>“bbkd”. In these “bbkd” files, I have a fixed size string about
>>>>>>>this file. Let say it is “KOKO”. I want to make this “KOKO” to
>>>>>>>“KEKE” when it reads by any application only in memory. So it
>>>>>>>will still same on disk. So I tought that It would be fine if I
>>>>>>>can catch this read and change “KOKO” to “KEKE”.
>>>>>>>
>>>>>>>For this reason, I’ve registered both pre create, post create and
>>>>>>>post read callbacks. In pre-create callback, I check file
>>>>>>>extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so
>>>>>>>my post-create callback catchs this I/O operation. In post-create
>>>>>>>callback, I send a message to my user-mode application and ask
>>>>>>>for “Hey, where that spesific string is stored? Please return me
>>>>>>>it’s offset”. She returns offset value to me and I create a
>>>>>>>stream handle context and store that offset value in there.
>>>>>>>
>>>>>>>OK, Here is where I stuck, and I have three question.
>>>>>>>
>>>>>>>1-) As far as I can see I’ve got several pre-create callback for
>>>>>>>my “hello.bbdk” file. But I guess only one of them is enough for
>>>>>>>getting offset value. What can I do about this? Hmm, can I test
>>>>>>>if this file already have a context, if so I pass it, if not so I
>>>>>>>need to handle it again?
>>>>>>>2-) Is post-write is right place for changing “KOKO” to “KEKE”?
>>>>>>>If so, what kind of a way I should follow?
>>>>>>>3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file
>>>>>>>read, so it does not have to be written to file. So what about
>>>>>>>cache? Is anything can go wrong with cache in this situation?
>>>>>>>
>>>>>>>Best regards…
>>>>>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>>>>>analysis, WDF, Windows internals and software drivers! Details at
>>>>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>>>
>>>>>>—
>>>>>>NTFSD is sponsored by OSR
>>>>>>
>>>>>>
>>>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals
>>>>>>and software drivers!
>>>>>>Details at http:
>>>>>>
>>>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>>>http:
>>>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>>>analysis, WDF, Windows internals and software drivers! Details at
>>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>
>>>>—
>>>>NTFSD is sponsored by OSR
>>>>
>>>>
>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>software drivers!
>>>>Details at http:
>>>>
>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>http:
>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>analysis, WDF, Windows internals and software drivers! Details at To
>>>unsubscribe, visit the List Server section of OSR Online at
>>
>>—
>>NTFSD is sponsored by OSR
>>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:>