Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


question about FsRtlCreateSectionForDataScan

maxpyffmaxpyff Member Posts: 3

Dear OSR Community,

I have stumbled on this API "FsRtlCreateSectionForDataScan".
I have read "https://www.osr.com/nt-insider/2019-issue1/fsrtlcreatesectionfordatascan-and-flt-variant-explained/" which does clarify a few things.
However, MSDN still tells me to "Use [it] with extreme caution".
So here is my question: is it safe to call this API from within a LoadImageNotify routine?
It appears that, more often than not, the FILE_OBJECT passed by Windows to us in the PIMAGE_INFO_EX has a 0 handle count, so that it cannot
be converted into a HANDLE (I think this is because the handle has already been closed by the DLL loader). This precludes using ZwCreateSection in this case
and would make "FsRtlCreateSectionForDataScan" very handy.

Thank you for your responses.

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,855

    Moved to correct forum.

    Peter Viscarola
    OSR
    @OSRDrivers

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    You really don't want to create a section on a file object post IRP_MJ_CLEANUP. This breaks the assumptions of the FS and Mm in terms of how things work and you'll end up with weird problems. If you want a section here you need to open the file again.

    -scott
    OSR

  • maxpyffmaxpyff Member Posts: 3
    edited January 24

    Thanks Scott.
    But a PostCreate callback in a minifilter is safe ?
    I can't use the "Flt..." version - need to support Windows 7.
    I would assume I need to make the usual checks (TopLevelIrp is NULL for example, no handle opened yet on the FILE_OBJECT) ?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    When you're in PostCreate it means the FS has successfully opened the file and expects to see an IRP_MJ_CLEANUP at some point. This is why you need to call FltCancelFIleOpen if you fail in PostCreate so the I/O Manager gets a chance to send a "fake" Cleanup request down to the FS.

    Best option is to dynamically call the Flt API if available and use the FsRtl on Win7. You don't need to make any special top level or handle checks in PostCreate.

    -scott
    OSR

  • maxpyffmaxpyff Member Posts: 3

    Sounds good, thank you very much for your answers.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA