I Studying MiniFSWatcher Project(C#)
I want to add functionality (MiniFSWatch + Scanner) - C#
I have not been able to solve it for a month.
I have a few problems, and I need your help.
Kernel-Mode Code :
#define SCANNER_READ_BUFFER_SIZE 1024
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved; // for quad-word alignement of the Contents structure
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
typedef struct _SCANNER_REPLY {
BOOLEAN SafeToOpen;
} SCANNER_REPLY, *PSCANNER_REPLY;
BOOLEAN safe = TRUE;
PVOID buffer = NULL;
ULONG replyLength, length;
PSCANNER_NOTIFICATION notification = NULL;
PFLT_VOLUME volume = NULL;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG bytesRead;
Status = FltGetVolumeFromInstance(FltObjects->Instance, &volume);
if (!NT_SUCCESS(Status)) {
returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
Status = FltGetVolumeProperties(volume,
&volumeProps,
sizeof(volumeProps),
&length);
if (NT_ERROR(Status)) {
returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
length = max(SCANNER_READ_BUFFER_SIZE, volumeProps.SectorSize);
buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance,
NonPagedPool,
length,
‘nacS’);
if (NULL == buffer) {
Status = STATUS_INSUFFICIENT_RESOURCES;
}
notification = ExAllocatePoolWithTag(NonPagedPool,
sizeof(SCANNER_NOTIFICATION),
‘nacS’);
if (NULL == notification) {
Status = STATUS_INSUFFICIENT_RESOURCES;
}
offset.QuadPart = bytesRead = 0;
//strcpy((char *)buffer, “Driver Test!”);
////notification->BytesToScan = (ULONG)bytesRead;
//notification->BytesToScan = sizeof(buffer);
//RtlCopyMemory(¬ification->Contents,
// buffer,
// min(notification->BytesToScan, SCANNER_READ_BUFFER_SIZE));
RtlCopyMemory(¬ification->Contents, “DriverTest”, sizeof(“DriverTest”));
replyLength = sizeof(SCANNER_REPLY);
Status = FltSendMessage(MiniFSWatcherData.Filter,
&MiniFSWatcherData.ClientPort,
notification,
sizeof(SCANNER_NOTIFICATION),
notification,
&replyLength,
NULL);
if (STATUS_SUCCESS == Status) {
safe = ((PSCANNER_REPLY)notification)->SafeToOpen;
}
User-Mode Code :
[StructLayout(LayoutKind.Sequential)]
public struct OVERLAPPED
{
public IntPtr Internal;
public IntPtr InternalHigh;
public UInt32 Offset;
public UInt32 OffsetHigh;
public IntPtr Pointer;
public IntPtr EventHandle;
};
[DllImport(“kernel32.dll”, CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool GetQueuedCompletionStatus(SafePortHandle CompletionPort
, out uint lpNumberOfBytesTransferred
, out IntPtr lpCompletionKey
, out IntPtr lpOverlapped
, uint dwMilliseconds);
private void ScannerWorker(IntPtr pcontext)
{
GCHandle gHandle = GCHandle.FromIntPtr(pcontext);
_SCANNER_THREAD_CONTEXT context = (_SCANNER_THREAD_CONTEXT)gHandle.Target;
NativeMethods.OVERLAPPED Ovlp = new NativeMethods.OVERLAPPED();
IntPtr pOvlp = Marshal.AllocHGlobal(Marshal.SizeOf(Ovlp));
Marshal.StructureToPtr(Ovlp, pOvlp, false);
/*
GetQueuedCompletionStatus ===> 122(ERROR_INSUFFICIENT_BUFFER)
Confirm : string errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message;
Only False Return
Why? What’s wrong?
*/
bool result = NativeMethods.GetQueuedCompletionStatus(context.Completion, out outSize, out key, out pOvlp, 0xFFFFFFFF);
/*
Error 0x80070006 E_HANDLE
Why?
*/
Marshal.FreeHGlobal(pOvlp);
}