query in File system Mini filter driver

I need to send a internal IRP from mini filter driver to my volume filter driver sitting above volsnap.

I need to get the FltObjects->FileObject->Vpb->Realdevice device object from my file system mini filter driver.

when I tried accessing this pointer my system crashed. Later on I discovered that my
FltObjects->FileObject is always NULL.

In which cases this file object will be NULL.I am trying to access FileObject in my Precallback routine which I have registered for IRP_MJ_MOUNT_VOLUME.

Is there a way to get the volume filter driver’s device object from mini filter driver.

I used FltGetDeviceObject and IoGetAttachedDevice in sequence thinking that it is the other way to get Vpb->Realdevice.
But when I used FltGetDeviceObject and IoGetAttachedDevice function the device object that I get doesn’t match any object in deviceTree.

I am not sure what objects I getting when I use these functions
FltGetDeviceObject and IoGetAttachedDevice.

Any inputs on this would be helpful

> I used FltGetDeviceObject and IoGetAttachedDevice in sequence

I think you need IoGetDeviceAttachmentBaseRef; from the Fine Manual:

IoGetAttachedDevice returns the highest-level device attached to the
specified device.
The IoGetDeviceAttachmentBaseRef routine returns a pointer to the
lowest-level device object in a file system or device driver stack.

You’ll need to check, but I’m pretty sure that this is the File System
device.

/Rod

I have tried using IoGetDeviceAttachmentBaseRef also…but I am not getting the device object of my volume filter driver.
Infact the device object pointer which I get as output is not seen anywhere in deviceTree utility.
I thought that deviceTree shows all the device objects in the machine. But looks like its not the case or am I missing something so obvious.

yes it is very common to see FltObjects->FileObject is always NULL.

./nT

Is there a way to get the volume filter driver’s device object from mini filter driver.

I need to get the FltObjects->FileObject->Vpb->Realdevice device object for which the Mount Request is targeted from my file system mini filter driver.

I think maybe you are over architecting your filter. You don’t need any of
that stuff for what you are trying to achieve. I went down that road once,
and backed out quickly. Keep it simple.

On Fri, Aug 3, 2018 at 6:23 AM xxxxx@yahoo.co.in <
xxxxx@lists.osr.com> wrote:

Is there a way to get the volume filter driver’s device object from mini
filter driver.

I need to get the FltObjects->FileObject->Vpb->Realdevice device object
for which the Mount Request is targeted from my file system mini filter
driver.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.
</http:>