How to detect if callbacks already called beforefor this I/O?

NTFSD
1

Hello there!

I’m working on a mini-filter driver which changes a same size value in my application spesific file. Let me explain what I’m trying to archieve a bit. My user-mode application uses some files for handling it’s own data. This files have a extension “bbkd”. In these “bbkd” files, I have a fixed size string about this file. Let say it is “KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any application only in memory. So it will still same on disk. So I tought that It would be fine if I can catch this read and change “KOKO” to “KEKE”.

 

For this reason, I’ve registered both pre create, post create and post read callbacks. In pre-create callback, I check file extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create callback catchs this I/O operation. In post-create callback, I send a message to my user-mode application and ask for “Hey, where that spesific string is stored? Please return me it’s offset”. She returns offset value to me and I create a stream handle context and store that offset value in there.

OK, Here is where I stuck, and I have three question.

 

1-) As far as I can see I’ve got several pre-create callback for my “hello.bbdk” file. But I guess only one of them is enough for getting offset value. What can I do about this? Hmm, can I test if this file already have a context, if so I pass it, if not so I need to handle it again?

2-) Is post-write is right place for changing “KOKO” to “KEKE”? If so, what kind of a way I should follow?

3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read, so it does not have to be written to file. So what about cache? Is anything can go wrong with cache in this situation?

Best regards…

2

  1. Assuming you are creating a stream context, then your call to
    FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if you
    have not created a context for the given file yet. Here you would
    initialize and insert the stream context.

  2. You probably want to handle all non-cached (including paging here of
    course) read/write requests. For the read processing, you would modify
    the data in post-read to return the ‘KEKE’ string. For write requests,
    you would handle the data in pre-write, ensuring that the ‘KOKO’ is
    stored on disk.

  3. Doing as prescribed in 2), the cache would contain the ‘KEKE’ string
    but on disk it would always contain ‘KOKO’.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Bekir Karul”
To: “Windows File Systems Devs Interest List”
Sent: 5/3/2017 8:58:21 AM
Subject: [ntfsd] How to detect if callbacks already called beforefor
this I/O?

>Hello there!
>
>I’m working on a mini-filter driver which changes a same size value in
>my application spesific file. Let me explain what I’m trying to
>archieve a bit. My user-mode application uses some files for handling
>it’s own data. This files have a extension “bbkd”. In these “bbkd”
>files, I have a fixed size string about this file. Let say it is
>“KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any
>application only in memory. So it will still same on disk. So I tought
>that It would be fine if I can catch this read and change “KOKO” to
>“KEKE”.
>
>For this reason, I’ve registered both pre create, post create and post
>read callbacks. In pre-create callback, I check file extension, if it
>is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create callback
>catchs this I/O operation. In post-create callback, I send a message to
>my user-mode application and ask for “Hey, where that spesific string
>is stored? Please return me it’s offset”. She returns offset value to
>me and I create a stream handle context and store that offset value in
>there.
>
>OK, Here is where I stuck, and I have three question.
>
>1-) As far as I can see I’ve got several pre-create callback for my
>“hello.bbdk” file. But I guess only one of them is enough for getting
>offset value. What can I do about this? Hmm, can I test if this file
>already have a context, if so I pass it, if not so I need to handle it
>again?
>2-) Is post-write is right place for changing “KOKO” to “KEKE”? If so,
>what kind of a way I should follow?
>3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read, so
>it does not have to be written to file. So what about cache? Is
>anything can go wrong with cache in this situation?
>
>Best regards…
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at

3

Hello Pete,

Thank you very much for your reply.

 

So I assume that checking for if this file already have a **stream handle** context would be enough in post-create. If it is already have one, so I don’t need to ask user mode for string offset again.

 

I’m not sure if I could clearly tell what I’m trying to do. So let me give another example. Think that there is a file named “bpe.bbdk”. This file have a “KOKO” string somewhere inside it. If I open this file with my application, my application sees that “KOKO” string in file and pop up a message box and says “Heey! I got KOKO”. This string can be anywhere on file. So that is why I’m asking to user mode application for detect where it is exactly. Then, my mini-filter will use this offset, and catch when this offset is read. At the moment it catch it, it will modify read buffer (at least I hope so) and change “KOKO” to "KEKE.

 

So we can say that if my mini-filter is installed on system, there will be no message box because mini-filter will change that string. But if there is no mini-filter, my application will see “KOKO” and pop up message box.

 

I thought that I can modify read buffer in post-read callback. Pete, am I right about that? Can I see read buffer in post-read callback, and change it as I wanted?

 

If so, how it can be possible to catch when that exact offset is reading?

 

Thank you again for spending your valuable time with answering my questions.

Best regards…

 

03.05.2017, 18:35, “PScott” :

 

  1. Assuming you are creating a stream context, then your call to FltGetStreamContext() in post-create will return STATUS_NOT_FOUND if you have not created a context for the given file yet. Here you would initialize and insert the stream context.

 

  1. You probably want to handle all non-cached (including paging here of course) read/write requests. For the read processing, you would modify the data in post-read to return the ‘KEKE’ string. For write requests, you would handle the data in pre-write, ensuring that the ‘KOKO’ is stored on disk.

 

  1. Doing as prescribed in 2), the cache would contain the ‘KEKE’ string but on disk it would always contain ‘KOKO’.

 

Pete

 

– 

Kernel Drivers

Windows File System and Device Driver Consulting

www.KernelDrivers.com

866.263.9295

 

 

 

------ Original Message ------

From: “Bekir Karul” <xxxxx@yandex.com>

To: “Windows File Systems Devs Interest List” <xxxxx@lists.osr.com>

Sent: 5/3/2017 8:58:21 AM

Subject: [ntfsd] How to detect if callbacks already called beforefor this I/O?

 

Hello there!

I’m working on a mini-filter driver which changes a same size value in my application spesific file. Let me explain what I’m trying to archieve a bit. My user-mode application uses some files for handling it’s own data. This files have a extension “bbkd”. In these “bbkd” files, I have a fixed size string about this file. Let say it is “KOKO”. I want to make this “KOKO” to “KEKE” when it reads by any application only in memory. So it will still same on disk. So I tought that It would be fine if I can catch this read and change “KOKO” to “KEKE”.

 

For this reason, I’ve registered both pre create, post create and post read callbacks. In pre-create callback, I check file extension, if it is “bbdk” I return PRE_SUCCESS_WITH_CALLBACK so my post-create callback catchs this I/O operation. In post-create callback, I send a message to my user-mode application and ask for “Hey, where that spesific string is stored? Please return me it’s offset”. She returns offset value to me and I create a stream handle context and store that offset value in there.

OK, Here is where I stuck, and I have three question.

 

1-) As far as I can see I’ve got several pre-create callback for my “hello.bbdk” file. But I guess only one of them is enough for getting offset value. What can I do about this? Hmm, can I test if this file already have a context, if so I pass it, if not so I need to handle it again?

2-) Is post-write is right place for changing “KOKO” to “KEKE”? If so, what kind of a way I should follow?

3-) I just want to change “KOKO” to “KEKE” when xxx.bbdk file read, so it does not have to be written to file. So what about cache? Is anything can go wrong with cache in this situation?

Best regards…
— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at <http://www.osr.com/seminars>

To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>