Hey there again! So I’m coding a mini filter file system, and I want to create Pre operation callbacks to certain IRPs.
The FltRegisterFilter and FltStartFiltering are returning STATUS_SUCCESS and I’m printing “dummy” strings in the pre op callback but it isn’t getting called, the way I’m checking this is just opening folders and files with notepad.
This is my whole code so far:
https://pastebin.com/ZH8SdAgM
and
https://pastebin.com/1taej4pa
Can it be a problem with the inf file?
What I would do in a situation like this I would just take one of the
simpler msft samples like nullfilter or passthrough and just go from there.
If you want to see what is wrong with your code i guess you would need to
go deeper into debugging your code and maybe also the way you register your
filter, etc…
Gabriel
www.kasardia.com
On Sun, Jun 18, 2017 at 8:54 AM, wrote:
> Hey there again! So I’m coding a mini filter file system, and I want to
> create Pre operation callbacks to certain IRPs.
>
> The FltRegisterFilter and FltStartFiltering are returning STATUS_SUCCESS
> and I’m printing “dummy” strings in the pre op callback but it isn’t
> getting called, the way I’m checking this is just opening folders and files
> with notepad.
>
> This is my whole code so far:
> https://pastebin.com/ZH8SdAgM
> and
> https://pastebin.com/1taej4pa
>
> Can it be a problem with the inf file?
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Bercea. G.</http:>
Try writing a short program to open files and read them yourself rather
than rely on Notepad. As to whether it helps here or not, I don’t know,
but Notepad uses memory mapped I/O and mmap’d I/O doesn’t always trigger
the things you think it will. You can waste a lot of time trying to figure
out why an interface is not triggered when Notepad (mmap) doesn’t use the
interface in the first place. A lot of time. Not that I would have done
that. No, it was, uh, a friend told me, that’s how I know.
On Mon, Jun 19, 2017 at 2:00 PM, Gabriel Bercea wrote:
> What I would do in a situation like this I would just take one of the
> simpler msft samples like nullfilter or passthrough and just go from there.
>
> If you want to see what is wrong with your code i guess you would need to
> go deeper into debugging your code and maybe also the way you register your
> filter, etc…
>
> Gabriel
> www.kasardia.com
>
> On Sun, Jun 18, 2017 at 8:54 AM, wrote:
>
>> Hey there again! So I’m coding a mini filter file system, and I want to
>> create Pre operation callbacks to certain IRPs.
>>
>> The FltRegisterFilter and FltStartFiltering are returning STATUS_SUCCESS
>> and I’m printing “dummy” strings in the pre op callback but it isn’t
>> getting called, the way I’m checking this is just opening folders and files
>> with notepad.
>>
>> This is my whole code so far:
>> https://pastebin.com/ZH8SdAgM
>> and
>> https://pastebin.com/1taej4pa
>>
>> Can it be a problem with the inf file?
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
>
>
> –
> Bercea. G.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>
Forget about this code.
Do you use VS 2015 with WDK (>= 8) installed ?
If yes then in the menu, choose :
File -> New -> Project.
Then, in the left pane of the ‘New project’ dialog box, choose :
Templates -> Visual C++ -> Windows Driver
Then on the right panel, choose :
‘Filter Driver : Filesystem Mini-filter’.
You will have a working filesystem mini-filter driver. It is a good starting point.
@Mike Boucher wrote one using CreateFile & WriteFile and nothing…
As for the others, I already checked my code against the samples, I don’t really wanna c&p something that I don’t know why it works.
Ok, run cmd.exe as Administrator, execute the following command
fltmc instances
provide us with the output
Your filter is not attached to any volume.
I would suggest you to follow the advice given by Gabriel and H. G. This gives you a working example to start with.
I tried using the sample that is created with the project and it didn’t work either!
I’m installing the inf file and “fltmc load Saaample” and the callback functions aren’t getting called.
Add the following lines to the beginning of your DriverEntry routine and/or in a callback or any function you want to debug.
if (KD_DEBUGGER_NOT_PRESENT == FALSE && KD_DEBUGGER_ENABLED == TRUE) {
KdBreakPoint();
}
Then attach a debugger to the target machine and run ‘Fltmc load FilterDriver’ on the target machine with admin privileges.
The debugger should break in DriverEntry if the filter is loaded. Than perform a step by step debugging to see what is the returned status of DriverEntry.
Typically, if an error occurs, FLTMC.EXE prints the error message on the console.
It is important to break in DriverEntry to see if the filter registration is successful or not.