Hello all,
I need to associate writes to a particular file with a process. The bulk of this project has been pretty straightforward but I am having issues capturing the ‘originator’ process ID. An example problem scenario is as follows:
hFile = CreateFileA();
hMapping = CreateFileMapping();
lpMemory = MapViewOfFile();
CloseHandle(hFile);
CloseHandle(hMapping);
*lpMemory = 0x12345678;
As I understand, these writes are passed to the mod writer for writing at a later time. In trying to prove the concept, I Initialized a cache map during IRP_MJ_ACQUIRE_FOR_SECTION_SYNC just so I could supply a context (the process) to the AcquireForLazyWrite callback. In testing, I found that this worked pretty well, but I am not sure if the stream handle context is isolated.
To add to the complexity, I’d like to be able to force the write to be synchronous. I’ve been calling CcFlushCache() from within IRP_MJ_RELEASE_FOR_SECTION_SYNC to force a synchronous IRP_MJ_WRITE from the system context. I still have a stream handle context at this point so have been able to ID the process in this manner (I thought these are closed as soon as the handles are closed, but it doesn’t seem so). I tried FltFlushBuffers() but encountered a deadlock – if this is how i should be flushing these writes, what is a good spot to call from?
My questions:
I realize that using Cc functions from a MF is probably discouraged – am I screwing something up by initializing a cache map on the section synchronization?
Is there a way to force mod writes synchronously (FltFlushBuffers?) and if so, will I still have the process context I’m looking for?
Multiple processes may be accessing this file, is there a possibility for overlap in contexts (are these ‘shared’ between processes given that there are a maximum possible 2? sections per FILE_OBJECT?).
Thanks! I read quite a bit about memory mapped files where I could on the forum, I apologize if I missed my answer!
Best,
EK