Hi all, I’m developing an encryption filter driver based on Isolation Filter, now I encounter a problem when the file is stored in the server, such as win2003.
My minifilter could intercept the request to “\??\UNC\192.168.1.233\test\ccedr.txt”, and just do the same thing as the file stored in the local.
But I got an BSOD as follows, it seems that mup can not resolve the fileobject just like didn’t go through my encryption filter, is there a FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my encryption filter intercept the request before it go down the mup?:
MUP_FILE_SYSTEM (103)
MUP file system detected an error.
Arguments:
Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
Could not locate MUP file context corresponding to a file object.
Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context could not be found
Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
…
STACK_TEXT:
ffffce818f89a078 fffff802ab097262 : 0000000000000001 0000000000000103 ffffce818f89a1e0 fffff802aaf6d6c0 : nt!DbgBreakPointWithStatus
ffffce818f89a080 fffff802ab096b12 : 0000000000000003 ffffce818f89a1e0 fffff802ab148610 0000000000000103 : nt!KiBugCheckDebugBreak+0x12
ffffce818f89a0e0 fffff802ab006687 : 0000000000000000 0000000000000001 ffffbe058df963a0 0000000000000000 : nt!KeBugCheck2+0x922
ffffce818f89a7f0 fffff802dd0d4ab4 : 0000000000000103 0000000000000001 ffffbe058df963a0 ffffbe058fd0aa10 : nt!KeBugCheckEx+0x107
ffffce818f89a830 fffff802dc573502 : 0000000000000001 ffff8bc5e2f177f8 0000000000000000 0000000000000000 : mup!MupRemoveFileContext+0x1db4
ffffce818f89a8b0 fffff802ab32f9af : ffffbe058fd0aa10 ffffce818f89ab80 0000000000000001 ffffce8100000000 : FLTMGR!FltpDispatch+0xe2
ffffce818f89a910 fffff802ab3585b9 : ffffbe0500000000 0000000000000004 000000478507e388 ffffce818f89ab80 : nt!IopSynchronousServiceTail+0x1af
ffffce818f89a9d0 fffff802ab011413 : ffffbe058fd3f7c0 000000478507e338 ffff8bc5e2f177f8 ffff376800000018 : nt!NtQueryVolumeInformationFile+0x559
ffffce818f89aa90 00007ff918a25cc4 : 00007ff91523d205 0000021607feabc0 0000021607feabc0 00007ff917b9e460 : nt!KiSystemServiceCopyEnd+0x13
000000478507e318 00007ff91523d205 : 0000021607feabc0 0000021607feabc0 00007ff917b9e460 0000000000000000 : ntdll!NtQueryVolumeInformationFile+0x14
000000478507e320 00007ff7d6f05b86 : 00007ff7d6f255c0 0000000000000001 0000000000000001 0000000000000000 : KERNELBASE!GetFileInformationByHandle+0x45
000000478507e450 00007ff7d6f0806d : 00007ff7d6f255c0 0000000000000001 0000021607fe21cc 0000000000000000 : NOTEPAD!LoadFile+0x166
000000478507e9e0 00007ff7d6f03a67 : 0000021607fe2188 00007ff9189da670 00007ff7d6f24a68 0000021607fe2188 : NOTEPAD!NPInit+0x781
000000478507fce0 00007ff7d6f19603 : 0000021607fe3130 0000021607fe3132 0000000000000000 0000000000000000 : NOTEPAD!WinMain+0x1d3
000000478507fdf0 00007ff915ef2774 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : NOTEPAD!__mainCRTStartup+0x19f
000000478507feb0 00007ff9189f0d51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
000000478507fee0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
Is the FO which is indicated owned by you? Or is it one that you have
opened during pre-create and are swapping out the target FOs in the
query info request?
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “xxxxx@serpurity.com”
To: “Windows File Systems Devs Interest List”
Sent: 12/5/2017 12:34:12 PM
Subject: [ntfsd] How to filter the request in MUP?
>Hi all, I’m developing an encryption filter driver based on Isolation
>Filter, now I encounter a problem when the file is stored in the
>server, such as win2003.
>My minifilter could intercept the request to
>“\??\UNC\192.168.1.233\test\ccedr.txt”, and just do the same thing
>as the file stored in the local.
>But I got an BSOD as follows, it seems that mup can not resolve the
>fileobject just like didn’t go through my encryption filter, is there a
>FLT_OPERATION_REGISTRATION such as IRP_MJ_MUP_XXX? How can my
>encryption filter intercept the request before it go down the mup?:
>
>MUP_FILE_SYSTEM (103)
>MUP file system detected an error.
>Arguments:
>Arg1: 0000000000000001, MUP_BUGCHECK_NO_FILECONTEXT
> Could not locate MUP file context corresponding to a file object.
>Arg2: ffffbe058df963a0, Irp Address if an IRP was used, NULL otherwise.
>Arg3: ffffbe058fd0aa10, FILE_OBJECT Address whose MUP file context
>could not be found
>Arg4: ffffbe058d9c3b00, DEVICE_OBJECT Address
>…
>STACK_TEXT:
>ffffce818f89a078 fffff802ab097262 : 0000000000000001 <br>>0000000000000103 ffffce818f89a1e0 fffff802aaf6d6c0 :
>nt!DbgBreakPointWithStatus
>ffffce818f89a080 fffff802ab096b12 : 0000000000000003 <br>>ffffce818f89a1e0 fffff802ab148610 0000000000000103 :
>nt!KiBugCheckDebugBreak+0x12
>ffffce818f89a0e0 fffff802ab006687 : 0000000000000000 <br>>0000000000000001 ffffbe058df963a0 0000000000000000 :
>nt!KeBugCheck2+0x922
>ffffce818f89a7f0 fffff802dd0d4ab4 : 0000000000000103 <br>>0000000000000001 ffffbe058df963a0 ffffbe058fd0aa10 :
>nt!KeBugCheckEx+0x107
>ffffce818f89a830 fffff802dc573502 : 0000000000000001 <br>>ffff8bc5e2f177f8 0000000000000000 0000000000000000 :
>mup!MupRemoveFileContext+0x1db4
>ffffce818f89a8b0 fffff802ab32f9af : ffffbe058fd0aa10 <br>>ffffce818f89ab80 0000000000000001 ffffce8100000000 :
>FLTMGR!FltpDispatch+0xe2
>ffffce818f89a910 fffff802ab3585b9 : ffffbe0500000000 <br>>0000000000000004 000000478507e388 ffffce818f89ab80 :
>nt!IopSynchronousServiceTail+0x1af
>ffffce818f89a9d0 fffff802ab011413 : ffffbe058fd3f7c0 <br>>000000478507e338 ffff8bc5e2f177f8 ffff376800000018 :
>nt!NtQueryVolumeInformationFile+0x559
>ffffce818f89aa90 00007ff918a25cc4 : 00007ff91523d205 <br>>0000021607feabc0 0000021607feabc0 00007ff917b9e460 :
>nt!KiSystemServiceCopyEnd+0x13
>000000478507e318 00007ff91523d205 : 0000021607feabc0 <br>>0000021607feabc0 00007ff917b9e460 0000000000000000 :
>ntdll!NtQueryVolumeInformationFile+0x14
>000000478507e320 00007ff7d6f05b86 : 00007ff7d6f255c0 <br>>0000000000000001 0000000000000001 0000000000000000 :
>KERNELBASE!GetFileInformationByHandle+0x45
>000000478507e450 00007ff7d6f0806d : 00007ff7d6f255c0 <br>>0000000000000001 0000021607fe21cc 0000000000000000 :
>NOTEPAD!LoadFile+0x166
>000000478507e9e0 00007ff7d6f03a67 : 0000021607fe2188 <br>>00007ff9189da670 00007ff7d6f24a68 0000021607fe2188 :
>NOTEPAD!NPInit+0x781
>000000478507fce0 00007ff7d6f19603 : 0000021607fe3130 <br>>0000021607fe3132 0000000000000000 0000000000000000 :
>NOTEPAD!WinMain+0x1d3
>000000478507fdf0 00007ff915ef2774 : 0000000000000000 <br>>0000000000000000 0000000000000000 0000000000000000 :
>NOTEPAD!__mainCRTStartup+0x19f
>000000478507feb0 00007ff9189f0d51 : 0000000000000000 <br>>0000000000000000 0000000000000000 0000000000000000 :
>KERNEL32!BaseThreadInitThunk+0x14
>000000478507fee0 0000000000000000 : 0000000000000000 <br>>0000000000000000 0000000000000000 0000000000000000 :
>ntdll!RtlUserThreadStart+0x21
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
The FO(ffffbe058fd0aa10) indicated is just a fake one, the real file object is owned by my encryption filter. If this file located in the local file system things all goes well, but when the file is located in the network position, my encryption filter seems can not catch the request, so it encounter the MUP_BUGCHECK_NO_FILECONTEXT. How can my encryption filter catch the request before it go into the mup? I tried IRP_MJ_QUERY_VOLUME_INFORMATION, but it seems didn’t work.