Filesystem filter driver

Driver hangs when user mode application calls OpenFile.
Is here some recursion on open? Windbg doesn’t catch it.

What reason can cause hang?

Code:
`NTSTATUS FsFilterDispatchPassThrough(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
PFSFILTER_DEVICE_EXTENSION pDevExt = (PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;

IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(pDevExt->AttachedToDeviceObject, Irp);

}

NTSTATUS FsFilterDispatchCreate(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
// IoGetCurrentIrpStackLocation(Irp)->DeviceObject->
PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
UNICODE_STRING devNameInfo;
RtlInitUnicodeString(&devNameInfo, NULL);

IoGetRelatedDeviceObject(pFileObject);
if (IoGetCurrentIrpStackLocation(Irp)->DeviceObject != NULL)
{
    IoVolumeDeviceToDosName(IoGetCurrentIrpStackLocation(Irp)->DeviceObject, &devNameInfo);
}

// ObQueryNameString(pFileObject->DeviceObject, devNameInfo, devNameInfo != NULL ? maxDevNameSize : 0, &realSize);

// DbgPrint(“Open %Z %wZ\n”, devNameInfo, &pFileObject->FileName);

RtlFreeUnicodeString(&devNameInfo);

return FsFilterDispatchPassThrough(DeviceObject, Irp);

}

NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0;

UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;

RtlInitUnicodeString(&deviceNameUnicodeString, deviceNameBuffer);
RtlInitUnicodeString(&deviceSymLinkUnicodeString, deviceSymLinkBuffer);

status = IoCreateDevice(DriverObject,
    0, // For driver extension
    &deviceNameUnicodeString,
    FILE_DEVICE_UNKNOWN,
    FILE_DEVICE_UNKNOWN,
    FALSE,
    &devObject);

if (!NT_SUCCESS(status))
{
    DbgPrint("IoCreateDevice failed %X\n", status);
    return status;
}

status = IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);
if (!NT_SUCCESS(status))
{
    DbgPrint("IoCreateSymbolicLink failed %X\n", status);
    return status;
}

g_fsFilterDriverObject = DriverObject;

status = PsSetCreateProcessNotifyRoutine(createProcessNotifyRoutine, FALSE);
if (!NT_SUCCESS(status))
{
    DbgPrint("PsSetCreateProcessNotifyRoutine failed %X\n", status);
    return status;
}
else
{
    DbgPrint("PsSetCreateProcessNotifyRoutine success %X\n", status);
}

status = FltRegisterFilter(DriverObject,
    &FilterRegistration,
    &g_data.Filter);

if (!NT_SUCCESS(status)) 
{
    DbgPrint("FltRegisterFilter failed %X", status);
    return status;
}

status = FltStartFiltering(g_data.Filter);

if (!NT_SUCCESS(status)) 
{
    FltUnregisterFilter(g_data.Filter);
    return status;
}

for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i) 
{
    DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough;
}

DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_READ] = FsFilterDispatchRead;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = FsFilterDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FsFilterDispatchIOControl;

DriverObject->FastIoDispatch = &g_fastIoDispatch;

status = IoRegisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback); 
if (!NT_SUCCESS(status)) 
{
    return status;
}

DriverObject->DriverUnload = FsFilterUnload;

return STATUS_SUCCESS;

}`

Basically you have a filesystem minifilter that doesn’t use the defined io
processing callbacks for minifilters, but instead bypasses all that by
using your own WDM dispatch routines. Why?
Try using one of the sample minifilters on github as a starting point.

Mark Roddy

@Mark_Roddy said:
Basically you have a filesystem minifilter that doesn’t use the defined io
processing callbacks for minifilters, but instead bypasses all that by
using your own WDM dispatch routines. Why?
Try using one of the sample minifilters on github as a starting point.

Mark Roddy

What samples of minifilters do you mean?

I took apriorit driver for start and added some callbacks. It works well except open device.
I need to configure from user mode.

It seems problem in FsFilterDispatchCreate. When it receives it’s file name it handles it i the same way but has to handle in the way like that. Am I right?
` Irp->IoStatus.Status = STATUS_SUCCESS;

Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
`

Thank you, Mark. It seems I understand my mistake. I’ll go on.

https://github.com/microsoft/Windows-driver-samples/tree/master/filesys/miniFilter

Start there.

Mark Roddy

And for GOODNESS sakes, next time post in the right category.

Hint: This is the wrong category.

Peter

So, I looked into samples and see that communication with user mode has to be implemented via FltCreateCommunicationPort but not dispach IRP_MJ_CREATE . Is it correct?

Moving to NTFSD where this belongs.

Peter

I’m not sure I understand the question…But, if you’re looking for a way to communicate between a user mode application/service and your filter then a Communication Port is a good choice.