Hello,
I am trying to develop a solution where I want to handle the complete file(data+metadata) for a specific process.
My design is to first intercept IRP_MJ_CREATE → check process id → if process match → check file name and match for the file names I am interested in.
If its an IRP_MJ_CREATE from my process of interest and the file I am interested in, I associate my own fscontext with the TargetFileObject and and do FLT_PREOP_COMPLETE, thereby becoming owner of the FileObject. ( there is communication involved with userspace which is not revelant to my question)
This way I control any subsequent ops on the TargetFileObject until the TargetFileObject is closed (explicitly or at process termination), by simply comparing the fscontext value of the file object.
My life was going good till now, and I was able to support some basic operations like IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_CLEANUP and IRP_MJ_CLOSE.
But now I am implementing support for IRP_MJ_QUERY_INFORMATION and IRP_MJ_SET_INFORMATION, which is where I got confused.
I am logging ops in pre-operation, and I see on my test system(NTFS file system) that if I keep the system idle for long and then run my test process which tries to open a test file, it leads to a bunch of IRPs, as opposed to seeing only one IRP_MJ_CREATE:
IRP_MJ_CREATE
DesiredAccess: Read+Execute+ReadAttributes
ShareMode: SharedRead+SharedWrite+SharedDelete
Disposition: OpenExisting
Attribute: Normal
IRP_MJ_SET_INFORMATION
FileOperationType =FileBasicInformation
IRP_MJ_QUERY_INFORMATION
FileOperationType =FileAttributeTagInformation
IRP_MJ_QUERY_INFORMATION
FileOperationType =FileInternalInformation
IRP MJ:255 IRP MN:0
IRP_MJ_CREATE
DesiredAccess: Read+Write+Append+ReadAttributes+WriteAttributes
ShareMode: Exclusive
Disposition: OpenExisting_Or_CreateNew
Attribute: Normal
Questions
- Why am I see the 5 extra IRPs before the actual IRP_MJ_CREATE that deals with opening the file?
- Can you shed any light on what the IRP with MJ 255 do ? Could not find anything on msdn .
- As I explained before I am trying to handle the TargetFileObject ( basically acting like Filesystem for a selected few files in my minifilter), so how do I take care of allocating the FileInternalInformation, from what I read its a FileID which if I allocate in the minifilter driver could possibly conflict with some other one that the underlying Filesystem has already allocated for a different file ? How is this used by the upper layers like the object manager ?