question about FsRtlCreateSectionForDataScan

maxpyff

Dear OSR Community,

I have stumbled on this API "FsRtlCreateSectionForDataScan".
I have read "https://www.osr.com/nt-insider/2019-issue1/fsrtlcreatesectionfordatascan-and-flt-variant-explained/" which does clarify a few things.
However, MSDN still tells me to "Use [it] with extreme caution".
So here is my question: is it safe to call this API from within a LoadImageNotify routine?
It appears that, more often than not, the FILE_OBJECT passed by Windows to us in the PIMAGE_INFO_EX has a 0 handle count, so that it cannot
be converted into a HANDLE (I think this is because the handle has already been closed by the DLL loader). This precludes using ZwCreateSection in this case
and would make "FsRtlCreateSectionForDataScan" very handy.

Thank you for your responses.

Peter_Viscarola_(OSR)

Moved to correct forum.

Scott_Noone_(OSR)

You really don't want to create a section on a file object post IRP_MJ_CLEANUP. This breaks the assumptions of the FS and Mm in terms of how things work and you'll end up with weird problems. If you want a section here you need to open the file again.

maxpyff

Thanks Scott.
But a PostCreate callback in a minifilter is safe ?
I can't use the "Flt..." version - need to support Windows 7.
I would assume I need to make the usual checks (TopLevelIrp is NULL for example, no handle opened yet on the FILE_OBJECT) ?

Scott_Noone_(OSR)

When you're in PostCreate it means the FS has successfully opened the file and expects to see an IRP_MJ_CLEANUP at some point. This is why you need to call FltCancelFIleOpen if you fail in PostCreate so the I/O Manager gets a chance to send a "fake" Cleanup request down to the FS.

Best option is to dynamically call the Flt API if available and use the FsRtl on Win7. You don't need to make any special top level or handle checks in PostCreate.

maxpyff

Sounds good, thank you very much for your answers.