Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How can minifilter driver intercept IOCTL_MOUNTMGR_DELETE_POINTS ?

superossuperos Member Posts: 3
edited July 2019 in NTFSD

How can minifilter driver intercept IOCTL_MOUNTMGR_DELETE_POINTS ?

I had fill IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL in the FLT_OPERATION_REGISTRATION ,

but it's not work, it seems that IOCTL_MOUNTMGR_DELETE_POINTS still not go through minifilter driver.

Did I miss something?

Comments

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    As far as I know, this IOCTL is sent to the Mount Point Manager. In order to intercept it, you may attach over its \Device\MountPointManager device.

    Martin Dráb

  • superossuperos Member Posts: 3

    @Martin_Dráb said:
    As far as I know, this IOCTL is sent to the Mount Point Manager. In order to intercept it, you may attach over its \Device\MountPointManager device.

    Thanks Martin.

    If a driver attach some device and hook some IRP_MJ_* , the driver object's MajorFunction member should be set. So, the new question is: Is it safe to do so in a minifilter driver ? For example if a minifilter driver's code like below:

    for (unsigned i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
    {
    pDriverObject->MajorFunction[i] = hook_function;
    }

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    I think minifilters do not rely on the IRP dispatch functions (MajorFunction). Rather, they register their callbacks by passing quite a structure into FltRegisterFilter. IRPs and other requests/calls are intercepted by the Filter Manager and passed to the registered drivers by its own mechanism.

    Hence, I think it is safe to set MajorFunction of your driver as you see fit. You can verify this by looking and the DRIVER_OBJECT structure in WinDbg.

    Martin Dráb

  • superossuperos Member Posts: 3

    I think it's work. :)

    Thank you again.

    @Martin_Dráb said:
    I think minifilters do not rely on the IRP dispatch functions (MajorFunction). Rather, they register their callbacks by passing quite a structure into FltRegisterFilter. IRPs and other requests/calls are intercepted by the Filter Manager and passed to the registered drivers by its own mechanism.

    Hence, I think it is safe to set MajorFunction of your driver as you see fit. You can verify this by looking and the DRIVER_OBJECT structure in WinDbg.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA