Hi,
I’m a newbie in the driver development.
I’m developing a very simple Disk filter driver that tracks all the device open requests (“\?\PhysicalDrive0”). The only major functions it hooks are IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL and IRP_MJ_PNP. Rest are passed through.
From the usermode code whenever I invoke CreateFile with desiredAccess as GENERIC_READ or GENERIC_WRITE, filter driver’s handler for IRP_MJ_CREATE does not see the request. But usermode code indeed gets valid handle to the device. Strangely if I try to send IOCtl through that handle, filter driver promptly notices the IOCtl in its IRP_MJ_DEVICE_CONTROL handler.
Process monitor (filemon) notices my open request properly though. Also if I invoke CreateFile with desiredAccess passed as 0 instead of GENERIC_READ|GENERIC_WRITE then my filter driver sees this request.
Can someone enlighten me about the following?
a) What is so special about GENERIC_READ|GENERIC_WRITE such that my filter does not see IRP_MJ_CREATE, but it can see IRP_MJ_DEVICE_CONTROL requests issued through that handle?
b) Is it possible that filter drivers above me are somehow caching the handle to the device and returning it without sending it further down?
c) What is special about process monitor which gets to see this?
d) Is there any device flags I need to set at the time of attaching for this?
Thanks
Mano