Disk upper filter missing device open requests with GENERIC_READ/GENERIC_WRITE access

Hi,

I’m a newbie in the driver development.

I’m developing a very simple Disk filter driver that tracks all the device open requests (“\?\PhysicalDrive0”). The only major functions it hooks are IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL and IRP_MJ_PNP. Rest are passed through.

From the usermode code whenever I invoke CreateFile with desiredAccess as GENERIC_READ or GENERIC_WRITE, filter driver’s handler for IRP_MJ_CREATE does not see the request. But usermode code indeed gets valid handle to the device. Strangely if I try to send IOCtl through that handle, filter driver promptly notices the IOCtl in its IRP_MJ_DEVICE_CONTROL handler.

Process monitor (filemon) notices my open request properly though. Also if I invoke CreateFile with desiredAccess passed as 0 instead of GENERIC_READ|GENERIC_WRITE then my filter driver sees this request.

Can someone enlighten me about the following?

a) What is so special about GENERIC_READ|GENERIC_WRITE such that my filter does not see IRP_MJ_CREATE, but it can see IRP_MJ_DEVICE_CONTROL requests issued through that handle?

b) Is it possible that filter drivers above me are somehow caching the handle to the device and returning it without sending it further down?

c) What is special about process monitor which gets to see this?

d) Is there any device flags I need to set at the time of attaching for this?

Thanks
Mano

> What is so special about GENERIC_READ|GENERIC_WRITE

When DesiredAccess is not 0 (or READ_ATTRIBUTES iirc) the IO Manager mounts a RAW file system object on a disk device object( \Device\Harddisk0\DR0 in your case, \??\PhysicalDrive0 is a symbolic link to it ). In this case IRP_MJ_CREATE is completed by RAW file system and is not passed through to a disk device object’s stack.

c) What is special about process monitor which gets to see this?

It has a file system filter that has an instance attached to a mounted RAW file system object.

Thanks so much Slava!! That makes perfect sense!! I’ll change my driver to attach to \Device\RawDisk and check this out.

> \Device\RawDisk

This is not a device that processes IRP_MJ_CREATE. When FSD device object is mounted a new object is created when IRP_MN_MOUNT_VOLUME is processed by FSD driver( see VPB structure). The newly created device object processes IRP_MJ_CREATE. RAW file system doesn’t keep mounted device object if there is no opened file objects, so there is no persistent object for mounted RAW file system object.