Hello. In PreCallback, when IRP_MJ_WRITE arrives on a file, I try change FileEndOfFileInformation
I open file:
status = FltCreateFileEx(
FltObjects->Filter,
FltObjects->Instance,
&hFile,
&foFile,
FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES,
&objectAttributes,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_OPEN_REPARSE_POINT | FILE_COMPLETE_IF_OPLOCKED | FILE_NO_INTERMEDIATE_BUFFERING,
NULL,
0,
IO_IGNORE_SHARE_ACCESS_CHECK);
Then I call FltSetInformationFile
FILE_END_OF_FILE_INFORMATION eof;
...
status = FltSetInformationFile(
FltObjects->Instance,
foFile,
&eof,
sizeof(eof),
FileEndOfFileInformation);
I observe that the function is stuck and does not return values.
The callstack is next:
bb843834 84479d4e 00000000 867ec120 9d325040 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])
bb8438e4 8447936c bb8439c0 9d325120 9d325040 nt!KiSwapThread+0x59e (FPO: [Non-Fpo])
bb843938 84478d0f 00000000 00000000 00000000 nt!KiCommitThreadWait+0x18c (FPO: [Non-Fpo])
bb8439f4 8474fae5 c2236cac 00000000 00000000 nt!KeWaitForSingleObject+0x1ff (FPO: [Non-Fpo])
bb843a2c 84829c52 00000001 bb843a54 00000000 nt!FsRtlCancellableWaitForMultipleObjects+0x99 (FPO: [Non-Fpo])
bb843a4c 81fd8827 c2236cac 00000000 00000000 nt!FsRtlCancellableWaitForSingleObject+0x1a (FPO: [Non-Fpo])
bb843a94 81fd5309 00000000 c2236d2c 00000014 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x6c7 (FPO: [Non-Fpo])
bb843afc 81ff35b4 c2236d2c a198ea90 a198eb80 FLTMGR!FltPerformSynchronousIo+0x299 (FPO: [Non-Fpo])
bb843b24 c54d8ec7 a198bab0 bab72360 bb843b48 FLTMGR!FltSetInformationFile+0xae (FPO: [Non-Fpo])
... My Driver stack
a4017da0 8127c95f 9537ddf0 00000000 a4017e08 FLTMGR!FltpPerformPreCallbacksWorker+0x2ec (FPO: [Non-Fpo])
a4017dc0 8127c563 9537dc18 8d2046e0 00000104 FLTMGR!FltpPassThroughInternal+0x20f (FPO: [Non-Fpo])
a4017df8 8127c366 b161a710 8d2046e0 8d217800 FLTMGR!FltpPassThrough+0x173 (FPO: [Non-Fpo])
a4017e20 8346ffe8 8d2046e0 9537dc18 9537dc18 FLTMGR!FltpDispatch+0x86 (FPO: [Non-Fpo])
a4017e3c 83778854 9537de14 9537dc18 00001a94 nt!IofCallDriver+0x48 (FPO: [Non-Fpo])
a4017e88 83771349 b161a710 00000001 00777d01 nt!IopSynchronousServiceTail+0x134 (FPO: [Non-Fpo])
a4017f28 8359238b 8d2046e0 00000000 00000000 nt!NtWriteFile+0x429 (FPO: [Non-Fpo])
I used the command !stack 2, collected the log, but my driver is not in other processes
Can someone know why FltSetInformationFIle freezes