Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How can minifilter driver intercept IOCTL_MOUNTMGR_DELETE_POINTS ?

superossuperos Member Posts: 3
edited July 24 in NTFSD

How can minifilter driver intercept IOCTL_MOUNTMGR_DELETE_POINTS ?

I had fill IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL in the FLT_OPERATION_REGISTRATION ,

but it's not work, it seems that IOCTL_MOUNTMGR_DELETE_POINTS still not go through minifilter driver.

Did I miss something?

Comments

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 56

    As far as I know, this IOCTL is sent to the Mount Point Manager. In order to intercept it, you may attach over its \Device\MountPointManager device.

    Martin Dráb

  • superossuperos Member Posts: 3

    @Martin_Dráb said:
    As far as I know, this IOCTL is sent to the Mount Point Manager. In order to intercept it, you may attach over its \Device\MountPointManager device.

    Thanks Martin.

    If a driver attach some device and hook some IRP_MJ_* , the driver object's MajorFunction member should be set. So, the new question is: Is it safe to do so in a minifilter driver ? For example if a minifilter driver's code like below:

    for (unsigned i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
    {
    pDriverObject->MajorFunction[i] = hook_function;
    }

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 56

    I think minifilters do not rely on the IRP dispatch functions (MajorFunction). Rather, they register their callbacks by passing quite a structure into FltRegisterFilter. IRPs and other requests/calls are intercepted by the Filter Manager and passed to the registered drivers by its own mechanism.

    Hence, I think it is safe to set MajorFunction of your driver as you see fit. You can verify this by looking and the DRIVER_OBJECT structure in WinDbg.

    Martin Dráb

  • superossuperos Member Posts: 3

    I think it's work. :)

    Thank you again.

    @Martin_Dráb said:
    I think minifilters do not rely on the IRP dispatch functions (MajorFunction). Rather, they register their callbacks by passing quite a structure into FltRegisterFilter. IRPs and other requests/calls are intercepted by the Filter Manager and passed to the registered drivers by its own mechanism.

    Hence, I think it is safe to set MajorFunction of your driver as you see fit. You can verify this by looking and the DRIVER_OBJECT structure in WinDbg.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA