Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FltSetInformationFile hangs

MariushZdrabazdanskiMariushZdrabazdanski Member Posts: 13

Hello. In PreCallback, when IRP_MJ_WRITE arrives on a file, I try change FileEndOfFileInformation
I open file:

status = FltCreateFileEx(
        FltObjects->Filter,
        FltObjects->Instance,
        &hFile,
        &foFile,
        FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES,
        &objectAttributes,
        &ioStatus,
        NULL,
        FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
        FILE_OPEN,
        FILE_OPEN_REPARSE_POINT | FILE_COMPLETE_IF_OPLOCKED | FILE_NO_INTERMEDIATE_BUFFERING,
        NULL,
        0,
        IO_IGNORE_SHARE_ACCESS_CHECK);

Then I call FltSetInformationFile

FILE_END_OF_FILE_INFORMATION eof;
...
status = FltSetInformationFile(
        FltObjects->Instance,
        foFile,
        &eof,
        sizeof(eof),
        FileEndOfFileInformation);

I observe that the function is stuck and does not return values.
The callstack is next:

bb843834 84479d4e 00000000 867ec120 9d325040 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
bb8438e4 8447936c bb8439c0 9d325120 9d325040 nt!KiSwapThread+0x59e (FPO: [Non-Fpo])
bb843938 84478d0f 00000000 00000000 00000000 nt!KiCommitThreadWait+0x18c (FPO: [Non-Fpo])
bb8439f4 8474fae5 c2236cac 00000000 00000000 nt!KeWaitForSingleObject+0x1ff (FPO: [Non-Fpo])
bb843a2c 84829c52 00000001 bb843a54 00000000 nt!FsRtlCancellableWaitForMultipleObjects+0x99 (FPO: [Non-Fpo])
bb843a4c 81fd8827 c2236cac 00000000 00000000 nt!FsRtlCancellableWaitForSingleObject+0x1a (FPO: [Non-Fpo])
bb843a94 81fd5309 00000000 c2236d2c 00000014 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x6c7 (FPO: [Non-Fpo])
bb843afc 81ff35b4 c2236d2c a198ea90 a198eb80 FLTMGR!FltPerformSynchronousIo+0x299 (FPO: [Non-Fpo])
bb843b24 c54d8ec7 a198bab0 bab72360 bb843b48 FLTMGR!FltSetInformationFile+0xae (FPO: [Non-Fpo])

... My Driver stack

a4017da0 8127c95f 9537ddf0 00000000 a4017e08 FLTMGR!FltpPerformPreCallbacksWorker+0x2ec (FPO: [Non-Fpo])
a4017dc0 8127c563 9537dc18 8d2046e0 00000104 FLTMGR!FltpPassThroughInternal+0x20f (FPO: [Non-Fpo])
a4017df8 8127c366 b161a710 8d2046e0 8d217800 FLTMGR!FltpPassThrough+0x173 (FPO: [Non-Fpo])
a4017e20 8346ffe8 8d2046e0 9537dc18 9537dc18 FLTMGR!FltpDispatch+0x86 (FPO: [Non-Fpo])
a4017e3c 83778854 9537de14 9537dc18 00001a94 nt!IofCallDriver+0x48 (FPO: [Non-Fpo])
a4017e88 83771349 b161a710 00000001 00777d01 nt!IopSynchronousServiceTail+0x134 (FPO: [Non-Fpo])
a4017f28 8359238b 8d2046e0 00000000 00000000 nt!NtWriteFile+0x429 (FPO: [Non-Fpo])

I used the command !stack 2, collected the log, but my driver is not in other processes
Can someone know why FltSetInformationFIle freezes

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 9-13 Sept 2024 Live, Online
Developing Minifilters 15-19 July 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online