Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

seeeing multiple irp_mj_create post operation(with stream_context)

johnhouldingjohnhoulding Member Posts: 28

Hello. My minifilter driver catch irp_mj_create operation(post) then I get filename(exe extensions only) and copy filename to stream context to send it IRP_MJ_CLEANUP. But sometimes I seeing multiple callback.
For example: In python interpereter :

f = open("2.exe",'wb')
f.close()
f = open("2.exe",'wb')

in DbgView:
Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe
Context found:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe

This works well But when I open notepad write some random data and save as exe file I see multiple callback in DbgView:

Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe
Context not found creating...:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe

non product code:

FLT_POSTOP_CALLBACK_STATUS PostOpCreate(PFLT_CALLBACK_DATA Data,
    PCFLT_RELATED_OBJECTS FltObjects,
    PVOID CompletionContext,
    FLT_POST_OPERATION_FLAGS Flags)
{

    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    PSCANNER_STREAM_CONTEXT scannerContext = NULL;
    NTSTATUS status;


    if (!NT_SUCCESS(Data->IoStatus.Status) ||
        (STATUS_REPARSE == Data->IoStatus.Status)) {
        return FLT_POSTOP_FINISHED_PROCESSING;
    }

    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
    if (!NT_SUCCESS(status))
    {
        goto exit;
    }

    status = FltParseFileNameInformation(FileNameInfo);
    if (!NT_SUCCESS(status))
    {
        goto exit;
    }


    if (FltObjects->FileObject->WriteAccess)
    {

        if (FileNameInfo->Extension.Length > 0 && FileNameInfo->Extension.Buffer != NULL)
        {
            if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ExeExtension, FALSE) != 0)
            {
                goto exit;
            }

            status = FltGetStreamContext(FltObjects->Instance, FltObjects->FileObject, &scannerContext);
            if (NT_SUCCESS(status))
            {
                DbgPrint("Context found:%S\n", scannerContext->Path);
                /*scannerContext->reScan = TRUE;*/
                /*FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_KEEP_IF_EXISTS, &scannerContext, NULL);*/
                goto exit;
            }
            else if (status == STATUS_NOT_FOUND)
            {
                DbgPrint("Context not found creating...:%wZ\n", FileNameInfo->Name);
                status = FltAllocateContext(hXRFilter, FLT_STREAM_CONTEXT, sizeof(SCANNER_STREAM_CONTEXT), NonPagedPool, &scannerContext);
                if (NT_SUCCESS(status))
                {
                    scannerContext->reScan = FALSE;
                    RtlCopyMemory(scannerContext->Path, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
                    FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_REPLACE_IF_EXISTS, scannerContext, NULL);
                    goto exit;
                }
            }
            else {
                goto exit;
            }

        }
    }



exit:
    if (FileNameInfo != NULL)
    {
        FltReleaseFileNameInformation(FileNameInfo);
    }

    if (scannerContext != NULL)
    {
        FltReleaseContext(scannerContext);
    }

    return FLT_POSTOP_FINISHED_PROCESSING;
}

What is problem how can I solve it?Thank you for reading...

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,090

    Why do you think that there is a problem? Have to looked at the operations stream with filespy or procmon to see what happens between the creates.

    Are you sure that the file hasn't been deleted, or renamed, or purged from the cache in which case a new context would be expected...

  • johnhouldingjohnhoulding Member Posts: 28
    edited December 2019

    Thanks for response. I actually dont think there is problem. But i just look for way to scan file just once. Because I only scan filename if there a lot of callback with same filename i must scan all of them. For this reason i look for way to prevent this. And my second question is how I know post irp_mj_cleanup last callback? Because suppose i open file for write and write data to file and without(CloseHandle) I see post cleanup and when I scan file , file didnt closed and maybe writed data not flushed to file and when I open file for reading I see nothing.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE