Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


sending write requests to current instance in preSetInfo callback

HaiboHaibo Member Posts: 178

I want to send requests to current instance in presetinfo callback, that means i want to see the write request in my prewrite callback. According to MSDN: "FltWriteFile causes a write request to be sent to the minifilter driver instances attached below the initiating instance and to the file system. The specified instance and the instances attached above it do not receive the write request.", it seems i need to get upper instance by FltGetUpperInstance and call FltWriteFile with it. Or maybe i should use ZwWriteFile directly, can anyone advise how should i implement it?

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,173

    You have two options, depending on what you exactly what to achieve
    1. Set the Instance parameter to NULL which will send the request from the top of the stack (this is the more usual)
    2. Call FltGetUpperInstance to find the (instantaneous) instance above you.

  • HaiboHaibo Member Posts: 178
    > @rod_widdowson said:
    > You have two options, depending on what you exactly what to achieve
    > 1. Set the Instance parameter to NULL which will send the request from the top of the stack (this is the more usual)
    > 2. Call FltGetUpperInstance to find the (instantaneous) instance above you.

    but msdn explicitly mentions that first parameter of FltWriteFile can't be NULL.
  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,173

    Oh, that's weird. I've never had to bother about that - so FltGetUpper or FltGetTopmost is what you want.

  • HaiboHaibo Member Posts: 178

    now i have another problem about writing data in postsetfileinfo(SetEndOfFileInformation...) callback. I am writing an encryption driver. When a file is extended by seteofinfo, i need to fill extended data with encrypted data so that applications see zero data which is filesystem's default behavior. However when i call FltWriteFile in postsetinfo callback i got a deadlock freeze:

    00 fffff68391081360 fffff806380dffa0 nt!KiSwapContext+0x76
    01 fffff683910814a0 fffff806380df4cf nt!KiSwapThread+0x500
    02 fffff68391081550 fffff80638073a13 nt!KiCommitThreadWait+0x14f
    03 fffff683910815f0 fffff80638130cec nt!KeWaitForGate+0xcb
    04 fffff68391081640 fffff806384ff5bb nt!MiReferenceControlArea+0x208
    05 fffff683910816d0 fffff806384fed64 nt!MiCreateImageOrDataSection+0x17b
    06 fffff683910817c0 fffff80638475214 nt!MiCreateSection+0xf4
    07 fffff68391081940 fffff8063810b852 nt!MmCreateCacheManagerSection+0x4c
    08 fffff683910819c0 fffff8063de934ce nt!CcInitializeCacheMapEx+0x442
    09 fffff68391081ac0 fffff8063dea439a Ntfs!NtfsInitializeCacheMap+0x76
    0a fffff68391081b20 fffff8063dea2de3 Ntfs!NtfsCommonWrite+0x133a
    0b fffff68391081d50 fffff806380cd805 Ntfs!NtfsFsdWrite+0x1d3
    0c fffff68391081e20 fffff806377d6ccf nt!IofCallDriver+0x55
    0d fffff68391081e60 fffff806377d8266 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f
    0e fffff68391081ed0 fffff806377d15ce FLTMGR!FltPerformSynchronousIo+0x2e6
    0f fffff68391081f70 fffff806377d1411 FLTMGR!FltWriteFileEx+0x1ae
    10 fffff68391082070 fffff80636e763db FLTMGR!FltWriteFile+0x51
    11 fffff683910820e0 fffff80636e74edb myefs!MyWriteZeroData+0xcb
    12 fffff68391082160 fffff806377d5747 myefs!MyPostSetInformation+0x207 // SetEndOfFileInformation
    13 fffff683910821f0 fffff806377d5018 FLTMGR!FltpPerformPostCallbacksWorker+0x347
    14 fffff683910822c0 fffff806377d6d62 FLTMGR!FltpPassThroughCompletionWorker+0xf8
    15 fffff68391082360 fffff806377d48d3 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x322
    16 fffff683910823d0 fffff806380cd805 FLTMGR!FltpDispatch+0xa3
    17 fffff68391082430 fffff80638460f96 nt!IofCallDriver+0x55
    18 fffff68391082470 fffff8063840ba87 nt!FsRtlSetFileSize+0xd6
    19 fffff683910824f0 fffff8063840afcb nt!MiCreateDataFileMap+0x30f
    1a fffff68391082560 fffff806384ff71b nt!MiCreateNewSection+0x153
    1b fffff683910826d0 fffff806384fed64 nt!MiCreateImageOrDataSection+0x2db
    1c fffff683910827c0 fffff806384feb47 nt!MiCreateSection+0xf4
    1d fffff68391082940 fffff806384fe92c nt!MiCreateSectionCommon+0x207
    1e fffff68391082a20 fffff80638205fb5 nt!NtCreateSection+0x5c
    1f fffff68391082a90 00007ffe69f4c6d4 nt!KiSystemServiceCopyEnd+0x25

    One way i have in my mind is to use FLTFL_IO_OPERATION_NON_CACHED to write data to disk directly, but considering this flag requires length aligned by sector, it seems i will have to set eof again after FltWriteFile, am i correct or is there any other good solution?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,173

    Don't send non paging IO down in the context of a paging IO.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 374

    @Haibo said:
    now i have another problem about writing data in postsetfileinfo(SetEndOfFileInformation...) callback. I am writing an encryption driver. When a file is extended by seteofinfo, i need to fill extended data with encrypted data so that applications see zero data which is filesystem's default behavior. However when i call FltWriteFile in postsetinfo callback i got a deadlock freeze:

    It's been a while since I checked this, but if the user EXTENDS the file size, don't you get IRP_MJ_WRITE with IRP_NOCACHE (and also IRP_PAGING_IO I think?) automatically for the extended region?

    If you are trying to write your own data, without a shadow file object, which is what 99.99% of encryption filter writes think they can get away with, and what you seem to be doing here, have fun :)

  • HaiboHaibo Member Posts: 178

    @Dejan_Maksimovic said:
    It's been a while since I checked this, but if the user EXTENDS the file size, don't you get IRP_MJ_WRITE with IRP_NOCACHE (and also IRP_PAGING_IO I think?) automatically for the extended region?

    no, at least for ntfs, it is not sent because ntfs can manage valid data length by itself. I may need to do it in fat way, filling zero data in cleanup....

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,173

    It's been a while since I checked this, but if the user EXTENDS the file size, don't you get IRP_MJ_WRITE with IRP_NOCACHE (and also IRP_PAGING_IO I think?)

    • When a user extends a section you get a paging MJ_SETINFO/FileSetInformationFile
    • When the cache manager moves its vdl foward you MJ_SETINFO/FileSetInformationFile/AdvanceOnly - I've never check to see if its paging or not I have to say

    It is the first that has happened here

    • We are in section create so the FSD has taken the locks it needs.
    • the filter has issued a non paging write in response to to a paging set info. Depending on the FSD this will deadlock.

    like I said:

    Don't send non paging IO down in the context of a paging IO.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE