Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

How to filter the request in MUP?

Hi all, I'm developing an encryption filter driver based on Isolation Filter, now I encounter a problem when the file is stored in the server, such as win2003.
My minifilter could intercept the request to "\\??\\UNC\\192.168.1.233\\test\\ccedr.txt", and just do the same thing as the file stored in the local.
But I got an BSOD as follows, it seems that mup can not resolve the fileobject just like didn't go through my encryption filter, is there a FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my encryption filter intercept the request before it go down the mup?:

MUP_FILE_SYSTEM (103)
MUP file system detected an error.
Arguments:
Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
Could not locate MUP file context corresponding to a file object.
Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context could not be found
Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
......
STACK_TEXT:
ffffce81`8f89a078 fffff802`ab097262 : 00000000`00000001 00000000`00000103 ffffce81`8f89a1e0 fffff802`aaf6d6c0 : nt!DbgBreakPointWithStatus
ffffce81`8f89a080 fffff802`ab096b12 : 00000000`00000003 ffffce81`8f89a1e0 fffff802`ab148610 00000000`00000103 : nt!KiBugCheckDebugBreak+0x12
ffffce81`8f89a0e0 fffff802`ab006687 : 00000000`00000000 00000000`00000001 ffffbe05`8df963a0 00000000`00000000 : nt!KeBugCheck2+0x922
ffffce81`8f89a7f0 fffff802`dd0d4ab4 : 00000000`00000103 00000000`00000001 ffffbe05`8df963a0 ffffbe05`8fd0aa10 : nt!KeBugCheckEx+0x107
ffffce81`8f89a830 fffff802`dc573502 : 00000000`00000001 ffff8bc5`e2f177f8 00000000`00000000 00000000`00000000 : mup!MupRemoveFileContext+0x1db4
ffffce81`8f89a8b0 fffff802`ab32f9af : ffffbe05`8fd0aa10 ffffce81`8f89ab80 00000000`00000001 ffffce81`00000000 : FLTMGR!FltpDispatch+0xe2
ffffce81`8f89a910 fffff802`ab3585b9 : ffffbe05`00000000 00000000`00000004 00000047`8507e388 ffffce81`8f89ab80 : nt!IopSynchronousServiceTail+0x1af
ffffce81`8f89a9d0 fffff802`ab011413 : ffffbe05`8fd3f7c0 00000047`8507e338 ffff8bc5`e2f177f8 ffff3768`00000018 : nt!NtQueryVolumeInformationFile+0x559
ffffce81`8f89aa90 00007ff9`18a25cc4 : 00007ff9`1523d205 00000216`07feabc0 00000216`07feabc0 00007ff9`17b9e460 : nt!KiSystemServiceCopyEnd+0x13
00000047`8507e318 00007ff9`1523d205 : 00000216`07feabc0 00000216`07feabc0 00007ff9`17b9e460 00000000`00000000 : ntdll!NtQueryVolumeInformationFile+0x14
00000047`8507e320 00007ff7`d6f05b86 : 00007ff7`d6f255c0 00000000`00000001 00000000`00000001 00000000`00000000 : KERNELBASE!GetFileInformationByHandle+0x45
00000047`8507e450 00007ff7`d6f0806d : 00007ff7`d6f255c0 00000000`00000001 00000216`07fe21cc 00000000`00000000 : NOTEPAD!LoadFile+0x166
00000047`8507e9e0 00007ff7`d6f03a67 : 00000216`07fe2188 00007ff9`189da670 00007ff7`d6f24a68 00000216`07fe2188 : NOTEPAD!NPInit+0x781
00000047`8507fce0 00007ff7`d6f19603 : 00000216`07fe3130 00000216`07fe3132 00000000`00000000 00000000`00000000 : NOTEPAD!WinMain+0x1d3
00000047`8507fdf0 00007ff9`15ef2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NOTEPAD!__mainCRTStartup+0x19f
00000047`8507feb0 00007ff9`189f0d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000047`8507fee0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Comments

  • Is the FO which is indicated owned by you? Or is it one that you have
    opened during pre-create and are swapping out the target FOs in the
    query info request?

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    ------ Original Message ------
    From: "xxxxx@serpurity.com" <xxxxx@lists.osr.com>
    To: "Windows File Systems Devs Interest List" <xxxxx@lists.osr.com>
    Sent: 12/5/2017 12:34:12 PM
    Subject: [ntfsd] How to filter the request in MUP?

    >Hi all, I'm developing an encryption filter driver based on Isolation
    >Filter, now I encounter a problem when the file is stored in the
    >server, such as win2003.
    >My minifilter could intercept the request to
    >"\\??\\UNC\\192.168.1.233\\test\\ccedr.txt", and just do the same thing
    >as the file stored in the local.
    >But I got an BSOD as follows, it seems that mup can not resolve the
    >fileobject just like didn't go through my encryption filter, is there a
    >FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my
    >encryption filter intercept the request before it go down the mup?:
    >
    >MUP_FILE_SYSTEM (103)
    >MUP file system detected an error.
    >Arguments:
    >Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
    > Could not locate MUP file context corresponding to a file object.
    >Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
    >Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context
    >could not be found
    >Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
    >......
    >STACK_TEXT:
    >ffffce81`8f89a078 fffff802`ab097262 : 00000000`00000001
    >00000000`00000103 ffffce81`8f89a1e0 fffff802`aaf6d6c0 :
    >nt!DbgBreakPointWithStatus
    >ffffce81`8f89a080 fffff802`ab096b12 : 00000000`00000003
    >ffffce81`8f89a1e0 fffff802`ab148610 00000000`00000103 :
    >nt!KiBugCheckDebugBreak+0x12
    >ffffce81`8f89a0e0 fffff802`ab006687 : 00000000`00000000
    >00000000`00000001 ffffbe05`8df963a0 00000000`00000000 :
    >nt!KeBugCheck2+0x922
    >ffffce81`8f89a7f0 fffff802`dd0d4ab4 : 00000000`00000103
    >00000000`00000001 ffffbe05`8df963a0 ffffbe05`8fd0aa10 :
    >nt!KeBugCheckEx+0x107
    >ffffce81`8f89a830 fffff802`dc573502 : 00000000`00000001
    >ffff8bc5`e2f177f8 00000000`00000000 00000000`00000000 :
    >mup!MupRemoveFileContext+0x1db4
    >ffffce81`8f89a8b0 fffff802`ab32f9af : ffffbe05`8fd0aa10
    >ffffce81`8f89ab80 00000000`00000001 ffffce81`00000000 :
    >FLTMGR!FltpDispatch+0xe2
    >ffffce81`8f89a910 fffff802`ab3585b9 : ffffbe05`00000000
    >00000000`00000004 00000047`8507e388 ffffce81`8f89ab80 :
    >nt!IopSynchronousServiceTail+0x1af
    >ffffce81`8f89a9d0 fffff802`ab011413 : ffffbe05`8fd3f7c0
    >00000047`8507e338 ffff8bc5`e2f177f8 ffff3768`00000018 :
    >nt!NtQueryVolumeInformationFile+0x559
    >ffffce81`8f89aa90 00007ff9`18a25cc4 : 00007ff9`1523d205
    >00000216`07feabc0 00000216`07feabc0 00007ff9`17b9e460 :
    >nt!KiSystemServiceCopyEnd+0x13
    >00000047`8507e318 00007ff9`1523d205 : 00000216`07feabc0
    >00000216`07feabc0 00007ff9`17b9e460 00000000`00000000 :
    >ntdll!NtQueryVolumeInformationFile+0x14
    >00000047`8507e320 00007ff7`d6f05b86 : 00007ff7`d6f255c0
    >00000000`00000001 00000000`00000001 00000000`00000000 :
    >KERNELBASE!GetFileInformationByHandle+0x45
    >00000047`8507e450 00007ff7`d6f0806d : 00007ff7`d6f255c0
    >00000000`00000001 00000216`07fe21cc 00000000`00000000 :
    >NOTEPAD!LoadFile+0x166
    >00000047`8507e9e0 00007ff7`d6f03a67 : 00000216`07fe2188
    >00007ff9`189da670 00007ff7`d6f24a68 00000216`07fe2188 :
    >NOTEPAD!NPInit+0x781
    >00000047`8507fce0 00007ff7`d6f19603 : 00000216`07fe3130
    >00000216`07fe3132 00000000`00000000 00000000`00000000 :
    >NOTEPAD!WinMain+0x1d3
    >00000047`8507fdf0 00007ff9`15ef2774 : 00000000`00000000
    >00000000`00000000 00000000`00000000 00000000`00000000 :
    >NOTEPAD!__mainCRTStartup+0x19f
    >00000047`8507feb0 00007ff9`189f0d51 : 00000000`00000000
    >00000000`00000000 00000000`00000000 00000000`00000000 :
    >KERNEL32!BaseThreadInitThunk+0x14
    >00000047`8507fee0 00000000`00000000 : 00000000`00000000
    >00000000`00000000 00000000`00000000 00000000`00000000 :
    >ntdll!RtlUserThreadStart+0x21
    >
    >---
    >NTFSD is sponsored by OSR
    >
    >
    >MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >software drivers!
    >Details at <http://www.osr.com/seminars>;
    >
    >To unsubscribe, visit the List Server section of OSR Online at
    ><http://www.osronline.com/page.cfm?name=ListServer>;

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • The FO(ffffbe058fd0aa10) indicated is just a fake one, the real file object is owned by my encryption filter. If this file located in the local file system things all goes well, but when the file is located in the network position, my encryption filter seems can not catch the request, so it encounter the MUP_BUGCHECK_NO_FILECONTEXT. How can my encryption filter catch the request before it go into the mup? I tried IRP_MJ_QUERY_VOLUME_INFORMATION, but it seems didn't work.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!