Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


isolation minifilter - why twice IRP_MJ_CLEANUP

jgh0721jgh0721 Member Posts: 4

Recently, we are making isolation filter drivers through mini filter drivers.

Recently, while testing the filter driver, I noticed the following strange symptoms. Obviously, IRP_MJ_CLEANUP and IRP_MJ_CLOSE were called to close the FCB, but after that, IRP_MJ_CLEANUP is called again.

i call "notepad isolationtest.txt" on cmd.exe

[WinIOSol] EvtID=000006477 IRP=IRP_MJ_CREATE Proc=002520,notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006477 >> Disposition=FILE_OPEN ShareAccess=FILE_SHARE_READ OpFlags= DesiredAccess=FILE_READ_ATTRIBUTES| CreateOptions=FILE_OPEN_REPARSE_POINT|
[WinIOSol] EvtID=000006477 FilterPreCreate Status=0x00000000,STATUS_SUCCESS Information=FILE_OPENED Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcAcquireForLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006479 IRP=IRP_MJ_QUERY_INFORMATION Thread=89181210,89181210 Class=FileBasicInformation Length=40 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcReleaseFromLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006481 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 IRP=IRP_MJ_CLOSE Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=0 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 UninitializeFCB Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006499 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] FilterPreAcquireCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 IRP=IRP_MJ_WRITE,NORMAL Thread=89181210,89181210 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 >> IrpFlags=IRP_INPUT_OPERATION|IRP_NOCACHE|IRP_PAGING_IO|IRP_SYNCHRONOUS_PAGING_IO| OpFlags= Key=0 Length=4096 ByteOffset=0 Buffer=00000000
[WinIOSol] FilterPreReleaseCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt

my code : https://github.com/jgh0721/Win-IO-Monitor

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,352

    You have a bug someplace. The FCB is referenced for each IRP_MJ_CREATE and dereferenced on each IRP_MJ_CLOSE. Once the last IRP_MJ_CLOSE arrives there will be no more operations against the FCB.

    There's a lot of annoying races in getting this correct. Isolation filters don't usually do the tracking themselves though, you simply set a stream context on the lower FCB and let the file system deal with it. Then when the lower FCB goes away you tear down your own FCB.

    -scott
    OSR

  • jgh0721jgh0721 Member Posts: 4

    Thanks for the reply.

    Thanks to that, I got a hint on that problem.

    ps. I couldn't think of adding and managing Stream Context in the lower FCB in the isolation filter. If so, is it possible that way when trying to do isolation filter + encryption?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE