Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


seeeing multiple irp_mj_create post operation(with stream_context)

johnhouldingjohnhoulding Member Posts: 28

Hello. My minifilter driver catch irp_mj_create operation(post) then I get filename(exe extensions only) and copy filename to stream context to send it IRP_MJ_CLEANUP. But sometimes I seeing multiple callback.
For example: In python interpereter :

f = open("2.exe",'wb')
f.close()
f = open("2.exe",'wb')

in DbgView:
Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe
Context found:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe

This works well But when I open notepad write some random data and save as exe file I see multiple callback in DbgView:

Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe
Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe

non product code:

FLT_POSTOP_CALLBACK_STATUS PostOpCreate(PFLT_CALLBACK_DATA Data,
    PCFLT_RELATED_OBJECTS FltObjects,
    PVOID CompletionContext,
    FLT_POST_OPERATION_FLAGS Flags)
{

    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    PSCANNER_STREAM_CONTEXT scannerContext = NULL;
    NTSTATUS status;


    if (!NT_SUCCESS(Data->IoStatus.Status) ||
        (STATUS_REPARSE == Data->IoStatus.Status)) {
        return FLT_POSTOP_FINISHED_PROCESSING;
    }

    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
    if (!NT_SUCCESS(status))
    {
        goto exit;
    }

    status = FltParseFileNameInformation(FileNameInfo);
    if (!NT_SUCCESS(status))
    {
        goto exit;
    }


    if (FltObjects->FileObject->WriteAccess)
    {

        if (FileNameInfo->Extension.Length > 0 && FileNameInfo->Extension.Buffer != NULL)
        {
            if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ExeExtension, FALSE) != 0)
            {
                goto exit;
            }

            status = FltGetStreamContext(FltObjects->Instance, FltObjects->FileObject, &scannerContext);
            if (NT_SUCCESS(status))
            {
                DbgPrint("Context found:%S\n", scannerContext->Path);
                /*scannerContext->reScan = TRUE;*/
                /*FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_KEEP_IF_EXISTS, &scannerContext, NULL);*/
                goto exit;
            }
            else if (status == STATUS_NOT_FOUND)
            {
                DbgPrint("Context not found creating...:%wZ\n", FileNameInfo->Name);
                status = FltAllocateContext(hXRFilter, FLT_STREAM_CONTEXT, sizeof(SCANNER_STREAM_CONTEXT), NonPagedPool, &scannerContext);
                if (NT_SUCCESS(status))
                {
                    scannerContext->reScan = FALSE;
                    RtlCopyMemory(scannerContext->Path, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
                    FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_REPLACE_IF_EXISTS, scannerContext, NULL);
                    goto exit;
                }
            }
            else {
                goto exit;
            }

        }
    }



exit:
    if (FileNameInfo != NULL)
    {
        FltReleaseFileNameInformation(FileNameInfo);
    }

    if (scannerContext != NULL)
    {
        FltReleaseContext(scannerContext);
    }

    return FLT_POSTOP_FINISHED_PROCESSING;
}

What is problem how can I solve it?Thank you for reading...

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    Why do you think that there is a problem? Have to looked at the operations stream with filespy or procmon to see what happens between the creates.

    Are you sure that the file hasn't been deleted, or renamed, or purged from the cache in which case a new context would be expected...

  • johnhouldingjohnhoulding Member Posts: 28
    edited December 2019

    Thanks for response. I actually dont think there is problem. But i just look for way to scan file just once. Because I only scan filename if there a lot of callback with same filename i must scan all of them. For this reason i look for way to prevent this. And my second question is how I know post irp_mj_cleanup last callback? Because suppose i open file for write and write data to file and without(CloseHandle) I see post cleanup and when I scan file , file didnt closed and maybe writed data not flushed to file and when I open file for reading I see nothing.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA