Re[2]: Reading a file only by using IofCallDriver

The irp stack location (see IoGetCurrentIrpStackLocation() and
IoGetNextIrpStackLocation() definitions in the wdk) contains the offset
and length of where to retrieve the data. The device it is sent at
determines from which device to get the data. And the Mdl describes
where to put/get the data.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 10/12/2016 4:28:14 PM
Subject: RE:[ntfsd] Reading a file only by using IofCallDriver

>So I’m wondering what information is getting passed along in the IRP?
>Something must tell the device where to go and what to get. Where does
>this information go in the IRP?
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

The information is provided in the I/O stack portion of the IRP:

https://msdn.microsoft.com/en-us/library/windows/hardware/ff551821(v=vs.85).aspx

-scott
OSR
@OSRDrivers

My guess -

IrpStack = IoGetNextIrpStackLocation(Irp);
IrpStack ->MajorFunction = IRP_MJ_READ;
IrpStack ->Parameters.Read.Length = BufferSizeInBytes; // integral of a secor size
IrpStack ->Parameters.Read.ByteOffset = OffsetToFileDataOnVolume; // aligned to a sector size

IoCallDriver(Volume, Irp);

Thank you for the help everyone.
I’ve found the data that is used to find the file in the Overlay->CurrentStackLocation->Parameters field which contains a single pointer. It points to a structure that contains among other things the size of data to read. The rest I still need to figure out.

Is there a way to catch file reads like that with FS filters or minifilters or does this method of reading files bypass these mechanisms?