Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Synchronous Mod Write w/ Context

noblebarstoolnoblebarstool Member Posts: 1

Hello all,

I need to associate writes to a particular file with a process. The bulk of this project has been pretty straightforward but I am having issues capturing the 'originator' process ID. An example problem scenario is as follows:

hFile = CreateFileA();
hMapping = CreateFileMapping();
lpMemory = MapViewOfFile();

CloseHandle(hFile);
CloseHandle(hMapping);

*lpMemory = 0x12345678;

As I understand, these writes are passed to the mod writer for writing at a later time. In trying to prove the concept, I Initialized a cache map during IRP_MJ_ACQUIRE_FOR_SECTION_SYNC just so I could supply a context (the process) to the AcquireForLazyWrite callback. In testing, I found that this worked pretty well, but I am not sure if the stream handle context is isolated.

To add to the complexity, I'd like to be able to force the write to be synchronous. I've been calling CcFlushCache() from within IRP_MJ_RELEASE_FOR_SECTION_SYNC to force a synchronous IRP_MJ_WRITE from the system context. I still have a stream handle context at this point so have been able to ID the process in this manner (I thought these are closed as soon as the handles are closed, but it doesn't seem so). I tried FltFlushBuffers() but encountered a deadlock -- if this is how i should be flushing these writes, what is a good spot to call from?

My questions:
I realize that using Cc functions from a MF is probably discouraged -- am I screwing something up by initializing a cache map on the section synchronization?
Is there a way to force mod writes synchronously (FltFlushBuffers?) and if so, will I still have the process context I'm looking for?
Multiple processes may be accessing this file, is there a possibility for overlap in contexts (are these 'shared' between processes given that there are a maximum possible 2? sections per FILE_OBJECT?).

Thanks! I read quite a bit about memory mapped files where I could on the forum, I apologize if I missed my answer!

Best,
EK

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,073

    We discussed this just last week In short your methodology is flawed.

    Why not just capture section creation? You have all you need at that point.

    Cc functions from a MF is probably discouraged -

    Discouraged as in "if you don't own the filesystem you will eventually deadlock and crash a customer's system".

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,183

    To add to Rod's comments...

    There's no definitive way to track the write back to a particular process in this case. For example, if two processes execute your scenario above you can still only get one paging write in the System process. Which process is "the writer" in that case?

    You have to assume that if the caller is creating a writable section then they're going to write to the section. Sometimes you'll be wrong and they won't write but you at least fail safe.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE