Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Fetch Volume Offset (LCN ) of I/O During or After Post Op callBacks

shafi747shafi747 Member Posts: 3

I am building a file system Minifilter driver to track all I/Os to a volumes which becomes the foundation for our incremental backups for our disk image Backups .

I have taken the minispy sample driver . We have registered IRP_MJ_Write alone .

On analyzing the argument received during Pre op and Post op callbacks

PFLT_CALLBACK_DATA Data
Data->Iopb->Parameters.Write.ByteOffset; The File Offset of the I/O
Data->Iopb->Parameters.Legnth; Total I/O Legnth

The File Offset of the I/O is received . Is there any argument which directly gives me the volume offset like legacy filters .

To map the file Offset to volume offset I have used this API call
FltFsControlFile(Data->Iopb->TargetInstance, FltObjects->FileObject, .....)

With FSCTL_GET_RETRIEVAL_POINTERS IOCTL

Which fetches the Cluster Extents or runs of the Entire File .

But the API returns STATUS_END_OF_FILE for small Files (less than Cluster Size , Data Written in MFT record itself )
and INVALID_PARAMETER for System Files such as $MFT ,$ Logfile .etc .

Any inputs would be highly valuable . Is my approach correct or should I go for another approach .

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    You will have no luck mapping a file offset to a volume offset in the I/O path. There are cases where this just won't work at all (e.g. you can't send that FSCTL during a paging I/O).

    A file system filter gets you change block tracking at the file level. if you want change block tracking at the volume level then you need a volume filter.

    -scott
    OSR

  • shafi747shafi747 Member Posts: 3

    Thanks Scott .
    So you mean that legacy filter driver is the only option I have .
    Since microsoft suggests porting legacy filters to minifilter model , I was hoping a way around .

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    @shafi747 said:
    Thanks Scott .
    So you mean that legacy filter driver is the only option I have .

    No, that's not what I mean. I think there's a terminology issue...Legacy file system filters are deprecated in favor of file system minifilters. If you are going to write a file system filter you need to use the minifilter model.

    If you're going to write a volume filter you write Class Filter using WDF.

    -scott
    OSR

  • shafi747shafi747 Member Posts: 3

    @Scott_Noone_(OSR) Can you suggest any Sample driver that would help me with ? And I suppose a system reboot is required to load such drivers ?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    I don't know of any samples that will be close to what you need. The Toaster Filter is a barebones filter to give you an idea on how to get started:

    https://github.com/microsoft/Windows-driver-samples/tree/master/general/toaster/toastDrv/kmdf/filter/generic

    You'll need to at least add an EvtIoWrite event processing callback if you want to track write operations (see the initialization of the ioQueueConfig variable).

    Installation requires two steps:

    1. Install the driver as a service (as you would any other driver)
    2. Add your service name to the UpperFilters value under the Volume Class Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{71a27cdd-812a-11d0-bec7-08002be2092f}

    There's quite a bit of work to go from here to a working CBT volume filter. I don't say this to discourage you but just to set your expectations properly.

    Good luck!

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA