Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Dear OSR Community,
I have stumbled on this API "FsRtlCreateSectionForDataScan".
I have read "https://www.osr.com/nt-insider/2019-issue1/fsrtlcreatesectionfordatascan-and-flt-variant-explained/" which does clarify a few things.
However, MSDN still tells me to "Use [it] with extreme caution".
So here is my question: is it safe to call this API from within a LoadImageNotify routine?
It appears that, more often than not, the FILE_OBJECT passed by Windows to us in the PIMAGE_INFO_EX has a 0 handle count, so that it cannot
be converted into a HANDLE (I think this is because the handle has already been closed by the DLL loader). This precludes using ZwCreateSection in this case
and would make "FsRtlCreateSectionForDataScan" very handy.
Thank you for your responses.
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Developing Minifilters | 24 May 2021 | Live, Online |
Writing WDF Drivers | 14 June 2021 | Live, Online |
Internals & Software Drivers | 2 August 2021 | Live, Online |
Kernel Debugging | 27 Sept 2021 | Live, Online |
Comments
Moved to correct forum.
Peter Viscarola
OSR
@OSRDrivers
You really don't want to create a section on a file object post IRP_MJ_CLEANUP. This breaks the assumptions of the FS and Mm in terms of how things work and you'll end up with weird problems. If you want a section here you need to open the file again.
-scott
OSR
Thanks Scott.
But a PostCreate callback in a minifilter is safe ?
I can't use the "Flt..." version - need to support Windows 7.
I would assume I need to make the usual checks (TopLevelIrp is NULL for example, no handle opened yet on the FILE_OBJECT) ?
When you're in PostCreate it means the FS has successfully opened the file and expects to see an IRP_MJ_CLEANUP at some point. This is why you need to call FltCancelFIleOpen if you fail in PostCreate so the I/O Manager gets a chance to send a "fake" Cleanup request down to the FS.
Best option is to dynamically call the Flt API if available and use the FsRtl on Win7. You don't need to make any special top level or handle checks in PostCreate.
-scott
OSR
Sounds good, thank you very much for your answers.