Hi all, I’m developing an encryption filter driver based on Isolation Filter, now I encounter a problem when the file is stored in the server, such as win2003.
My minifilter could intercept the request to “\??\UNC\192.168.1.233\test\ccedr.txt”, and just do the same thing as the file stored in the local.
But I got an BSOD as follows, it seems that mup can not resolve the fileobject just like didn’t go through my encryption filter, is there a FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my encryption filter intercept the request before it go down the mup?:
MUP_FILE_SYSTEM (103)
MUP file system detected an error.
Arguments:
Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
Could not locate MUP file context corresponding to a file object.
Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context could not be found
Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
…
STACK_TEXT:
ffffce818f89a078 fffff802
ab097262 : 0000000000000001 00000000
00000103 ffffce818f89a1e0 fffff802
aaf6d6c0 : nt!DbgBreakPointWithStatus
ffffce818f89a080 fffff802
ab096b12 : 0000000000000003 ffffce81
8f89a1e0 fffff802ab148610 00000000
00000103 : nt!KiBugCheckDebugBreak+0x12
ffffce818f89a0e0 fffff802
ab006687 : 0000000000000000 00000000
00000001 ffffbe058df963a0 00000000
00000000 : nt!KeBugCheck2+0x922
ffffce818f89a7f0 fffff802
dd0d4ab4 : 0000000000000103 00000000
00000001 ffffbe058df963a0 ffffbe05
8fd0aa10 : nt!KeBugCheckEx+0x107
ffffce818f89a830 fffff802
dc573502 : 0000000000000001 ffff8bc5
e2f177f8 0000000000000000 00000000
00000000 : mup!MupRemoveFileContext+0x1db4
ffffce818f89a8b0 fffff802
ab32f9af : ffffbe058fd0aa10 ffffce81
8f89ab80 0000000000000001 ffffce81
00000000 : FLTMGR!FltpDispatch+0xe2
ffffce818f89a910 fffff802
ab3585b9 : ffffbe0500000000 00000000
00000004 000000478507e388 ffffce81
8f89ab80 : nt!IopSynchronousServiceTail+0x1af
ffffce818f89a9d0 fffff802
ab011413 : ffffbe058fd3f7c0 00000047
8507e338 ffff8bc5e2f177f8 ffff3768
00000018 : nt!NtQueryVolumeInformationFile+0x559
ffffce818f89aa90 00007ff9
18a25cc4 : 00007ff91523d205 00000216
07feabc0 0000021607feabc0 00007ff9
17b9e460 : nt!KiSystemServiceCopyEnd+0x13
000000478507e318 00007ff9
1523d205 : 0000021607feabc0 00000216
07feabc0 00007ff917b9e460 00000000
00000000 : ntdll!NtQueryVolumeInformationFile+0x14
000000478507e320 00007ff7
d6f05b86 : 00007ff7d6f255c0 00000000
00000001 0000000000000001 00000000
00000000 : KERNELBASE!GetFileInformationByHandle+0x45
000000478507e450 00007ff7
d6f0806d : 00007ff7d6f255c0 00000000
00000001 0000021607fe21cc 00000000
00000000 : NOTEPAD!LoadFile+0x166
000000478507e9e0 00007ff7
d6f03a67 : 0000021607fe2188 00007ff9
189da670 00007ff7d6f24a68 00000216
07fe2188 : NOTEPAD!NPInit+0x781
000000478507fce0 00007ff7
d6f19603 : 0000021607fe3130 00000216
07fe3132 0000000000000000 00000000
00000000 : NOTEPAD!WinMain+0x1d3
000000478507fdf0 00007ff9
15ef2774 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : NOTEPAD!__mainCRTStartup+0x19f
000000478507feb0 00007ff9
189f0d51 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000478507fee0 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x21
Is the FO which is indicated owned by you? Or is it one that you have
opened during pre-create and are swapping out the target FOs in the
query info request?
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “xxxxx@serpurity.com”
To: “Windows File Systems Devs Interest List”
Sent: 12/5/2017 12:34:12 PM
Subject: [ntfsd] How to filter the request in MUP?
>Hi all, I’m developing an encryption filter driver based on Isolation
>Filter, now I encounter a problem when the file is stored in the
>server, such as win2003.
>My minifilter could intercept the request to
>“\??\UNC\192.168.1.233\test\ccedr.txt”, and just do the same thing
>as the file stored in the local.
>But I got an BSOD as follows, it seems that mup can not resolve the
>fileobject just like didn’t go through my encryption filter, is there a
>FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my
>encryption filter intercept the request before it go down the mup?:
>
>MUP_FILE_SYSTEM (103)
>MUP file system detected an error.
>Arguments:
>Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
> Could not locate MUP file context corresponding to a file object.
>Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
>Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context
>could not be found
>Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
>…
>STACK_TEXT:
>ffffce818f89a078 fffff802
ab097262 : 0000000000000001 <br>>00000000
00000103 ffffce818f89a1e0 fffff802
aaf6d6c0 :
>nt!DbgBreakPointWithStatus
>ffffce818f89a080 fffff802
ab096b12 : 0000000000000003 <br>>ffffce81
8f89a1e0 fffff802ab148610 00000000
00000103 :
>nt!KiBugCheckDebugBreak+0x12
>ffffce818f89a0e0 fffff802
ab006687 : 0000000000000000 <br>>00000000
00000001 ffffbe058df963a0 00000000
00000000 :
>nt!KeBugCheck2+0x922
>ffffce818f89a7f0 fffff802
dd0d4ab4 : 0000000000000103 <br>>00000000
00000001 ffffbe058df963a0 ffffbe05
8fd0aa10 :
>nt!KeBugCheckEx+0x107
>ffffce818f89a830 fffff802
dc573502 : 0000000000000001 <br>>ffff8bc5
e2f177f8 0000000000000000 00000000
00000000 :
>mup!MupRemoveFileContext+0x1db4
>ffffce818f89a8b0 fffff802
ab32f9af : ffffbe058fd0aa10 <br>>ffffce81
8f89ab80 0000000000000001 ffffce81
00000000 :
>FLTMGR!FltpDispatch+0xe2
>ffffce818f89a910 fffff802
ab3585b9 : ffffbe0500000000 <br>>00000000
00000004 000000478507e388 ffffce81
8f89ab80 :
>nt!IopSynchronousServiceTail+0x1af
>ffffce818f89a9d0 fffff802
ab011413 : ffffbe058fd3f7c0 <br>>00000047
8507e338 ffff8bc5e2f177f8 ffff3768
00000018 :
>nt!NtQueryVolumeInformationFile+0x559
>ffffce818f89aa90 00007ff9
18a25cc4 : 00007ff91523d205 <br>>00000216
07feabc0 0000021607feabc0 00007ff9
17b9e460 :
>nt!KiSystemServiceCopyEnd+0x13
>000000478507e318 00007ff9
1523d205 : 0000021607feabc0 <br>>00000216
07feabc0 00007ff917b9e460 00000000
00000000 :
>ntdll!NtQueryVolumeInformationFile+0x14
>000000478507e320 00007ff7
d6f05b86 : 00007ff7d6f255c0 <br>>00000000
00000001 0000000000000001 00000000
00000000 :
>KERNELBASE!GetFileInformationByHandle+0x45
>000000478507e450 00007ff7
d6f0806d : 00007ff7d6f255c0 <br>>00000000
00000001 0000021607fe21cc 00000000
00000000 :
>NOTEPAD!LoadFile+0x166
>000000478507e9e0 00007ff7
d6f03a67 : 0000021607fe2188 <br>>00007ff9
189da670 00007ff7d6f24a68 00000216
07fe2188 :
>NOTEPAD!NPInit+0x781
>000000478507fce0 00007ff7
d6f19603 : 0000021607fe3130 <br>>00000216
07fe3132 0000000000000000 00000000
00000000 :
>NOTEPAD!WinMain+0x1d3
>000000478507fdf0 00007ff9
15ef2774 : 0000000000000000 <br>>00000000
00000000 0000000000000000 00000000
00000000 :
>NOTEPAD!__mainCRTStartup+0x19f
>000000478507feb0 00007ff9
189f0d51 : 0000000000000000 <br>>00000000
00000000 0000000000000000 00000000
00000000 :
>KERNEL32!BaseThreadInitThunk+0x14
>000000478507fee0 00000000
00000000 : 0000000000000000 <br>>00000000
00000000 0000000000000000 00000000
00000000 :
>ntdll!RtlUserThreadStart+0x21
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
The FO(ffffbe058fd0aa10) indicated is just a fake one, the real file object is owned by my encryption filter. If this file located in the local file system things all goes well, but when the file is located in the network position, my encryption filter seems can not catch the request, so it encounter the MUP_BUGCHECK_NO_FILECONTEXT. How can my encryption filter catch the request before it go into the mup? I tried IRP_MJ_QUERY_VOLUME_INFORMATION, but it seems didn’t work.