Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Filesystem filter driver

TuxfordTuxford Member Posts: 9
edited September 2 in NTFSD

Driver hangs when user mode application calls OpenFile.
Is here some recursion on open? Windbg doesn't catch it.

What reason can cause hang?

Code:
`NTSTATUS FsFilterDispatchPassThrough(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
PFSFILTER_DEVICE_EXTENSION pDevExt = (PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;

IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(pDevExt->AttachedToDeviceObject, Irp);

}

NTSTATUS FsFilterDispatchCreate(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
// IoGetCurrentIrpStackLocation(Irp)->DeviceObject->
PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
UNICODE_STRING devNameInfo;
RtlInitUnicodeString(&devNameInfo, NULL);

IoGetRelatedDeviceObject(pFileObject);
if (IoGetCurrentIrpStackLocation(Irp)->DeviceObject != NULL)
{
    IoVolumeDeviceToDosName(IoGetCurrentIrpStackLocation(Irp)->DeviceObject, &devNameInfo);
}

// ObQueryNameString(pFileObject->DeviceObject, devNameInfo, devNameInfo != NULL ? maxDevNameSize : 0, &realSize);

// DbgPrint("Open %Z %wZ\n", devNameInfo, &pFileObject->FileName);

RtlFreeUnicodeString(&devNameInfo);

return FsFilterDispatchPassThrough(DeviceObject, Irp);

}

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0;

UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;

RtlInitUnicodeString(&deviceNameUnicodeString, deviceNameBuffer);
RtlInitUnicodeString(&deviceSymLinkUnicodeString, deviceSymLinkBuffer);

status = IoCreateDevice(DriverObject,
    0, // For driver extension
    &deviceNameUnicodeString,
    FILE_DEVICE_UNKNOWN,
    FILE_DEVICE_UNKNOWN,
    FALSE,
    &devObject);

if (!NT_SUCCESS(status))
{
    DbgPrint("IoCreateDevice failed %X\n", status);
    return status;
}

status = IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);
if (!NT_SUCCESS(status))
{
    DbgPrint("IoCreateSymbolicLink failed %X\n", status);
    return status;
}

g_fsFilterDriverObject = DriverObject;

status = PsSetCreateProcessNotifyRoutine(createProcessNotifyRoutine, FALSE);
if (!NT_SUCCESS(status))
{
    DbgPrint("PsSetCreateProcessNotifyRoutine failed %X\n", status);
    return status;
}
else
{
    DbgPrint("PsSetCreateProcessNotifyRoutine success %X\n", status);
}

status = FltRegisterFilter(DriverObject,
    &FilterRegistration,
    &g_data.Filter);

if (!NT_SUCCESS(status)) 
{
    DbgPrint("FltRegisterFilter failed %X", status);
    return status;
}

status = FltStartFiltering(g_data.Filter);

if (!NT_SUCCESS(status)) 
{
    FltUnregisterFilter(g_data.Filter);
    return status;
}

for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i) 
{
    DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough;
}

DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_READ] = FsFilterDispatchRead;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = FsFilterDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FsFilterDispatchIOControl;

DriverObject->FastIoDispatch = &g_fastIoDispatch;

status = IoRegisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback); 
if (!NT_SUCCESS(status)) 
{
    return status;
}

DriverObject->DriverUnload = FsFilterUnload;

return STATUS_SUCCESS;

}`

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,367
    via Email
    Basically you have a filesystem minifilter that doesn't use the defined io
    processing callbacks for minifilters, but instead bypasses all that by
    using your own WDM dispatch routines. Why?
    Try using one of the sample minifilters on github as a starting point.

    Mark Roddy
  • TuxfordTuxford Member Posts: 9

    @Mark_Roddy said:
    Basically you have a filesystem minifilter that doesn't use the defined io
    processing callbacks for minifilters, but instead bypasses all that by
    using your own WDM dispatch routines. Why?
    Try using one of the sample minifilters on github as a starting point.

    Mark Roddy

    What samples of minifilters do you mean?

    I took apriorit driver for start and added some callbacks. It works well except open device.
    I need to configure from user mode.

    It seems problem in FsFilterDispatchCreate. When it receives it's file name it handles it i the same way but has to handle in the way like that. Am I right?
    ` Irp->IoStatus.Status = STATUS_SUCCESS;

    Irp->IoStatus.Information = 0;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
    `

  • TuxfordTuxford Member Posts: 9
    edited September 1

    Thank you, Mark. It seems I understand my mistake. I'll go on.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,052

    And for GOODNESS sakes, next time post in the right category.

    Hint: This is the wrong category.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • TuxfordTuxford Member Posts: 9

    So, I looked into samples and see that communication with user mode has to be implemented via FltCreateCommunicationPort but not dispach IRP_MJ_CREATE . Is it correct?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,052

    Moving to NTFSD where this belongs.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,343

    I'm not sure I understand the question...But, if you're looking for a way to communicate between a user mode application/service and your filter then a Communication Port is a good choice.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE