Best way to open ADS in pre-read

Hi,

In my minifilter driver I would like to read data from an ADS of a file on pre-read.
I understand I have 2 options to open ADS:

  1. Get the file name, allocate a string and create the ADS full name (file name + ADS name), and open the ADS using FltCreateFile.
  2. Open the ADS from a file handle: I need to open the file first (using FltCreateFile) to get a file handle, and then open the ADS using this handle & ADS name.

I don’t want to get the name every time, or maintain it because it may change.
I also don’t like the overhead of 2 calls to FltCreateFile in the second option.

Is there a way to open ADS using file id and ADS name? Or maybe in the second option, get a handle to the file (from file object?) without the overhead of opening it?

Thanks

The first option is better. It has less problems with third party filters that might not process smoothly a combination of a relative open with a file handle instead of a directory handle.

There is a bigger problem you should worry about when calling FltCreateFile on a read path. A possible deadlock scenario. There is one thing you should avoid - calling FltCreateFile on a paging read path. Calling FltCreateFile for non paging read is less risky but still has a good probability for a deadlock.

ObOpenObjectByPointer can be called if at least one handle has been opened for a file object. It is not possible to synchronize a call to ObOpenObjectByPointer and a concurrent call to ZwClose if you do not have control over calls to ZwClose.

Thanks Slava.

From your answer, I think it will be simpler to move this code to post-create.
But what does ObOpenObjectByPointer actually do? Does it initiate a new “Create” flow?

It takes an initialized file object and creates an entry for it in the process’ handles table. The process’ handles table is essentially an array of file object pointers. A handle is an index in that array.

Use a full path instead of a relative open with a file handle as it is not correct to call ObOpenObjectByPointer for a file object in post-create. A file opening can be cancelled by an upper filter and having an open handle in that case results in an incorrect system behavior.

Thanks Slava.

Is it possible for the name to modified during post-create?
Can rename take place during that time?

The rename can be made by a concurrent thread and be completed before FltCreateFile is being called in a post create callback.

If I try to open the ADS by full name as you suggested, how can I be sure a rename doesn’t take place between the calls? I want to be sure I am opening the ADS of the right file.

You can track all rename operations in your filter and synchronize FltCreateFile for ADS with ongoing rename operations.