Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Filesystem filter driver
Driver hangs when user mode application calls OpenFile.
Is here some recursion on open? Windbg doesn't catch it.
What reason can cause hang?
Code:
`NTSTATUS FsFilterDispatchPassThrough(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
PFSFILTER_DEVICE_EXTENSION pDevExt = (PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(pDevExt->AttachedToDeviceObject, Irp);
}
NTSTATUS FsFilterDispatchCreate(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
// IoGetCurrentIrpStackLocation(Irp)->DeviceObject->
PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
UNICODE_STRING devNameInfo;
RtlInitUnicodeString(&devNameInfo, NULL);
IoGetRelatedDeviceObject(pFileObject);
if (IoGetCurrentIrpStackLocation(Irp)->DeviceObject != NULL)
{
IoVolumeDeviceToDosName(IoGetCurrentIrpStackLocation(Irp)->DeviceObject, &devNameInfo);
}
// ObQueryNameString(pFileObject->DeviceObject, devNameInfo, devNameInfo != NULL ? maxDevNameSize : 0, &realSize);
// DbgPrint("Open %Z %wZ\n", devNameInfo, &pFileObject->FileName);
RtlFreeUnicodeString(&devNameInfo); return FsFilterDispatchPassThrough(DeviceObject, Irp);
}
NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0;
UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;
RtlInitUnicodeString(&deviceNameUnicodeString, deviceNameBuffer);
RtlInitUnicodeString(&deviceSymLinkUnicodeString, deviceSymLinkBuffer);
status = IoCreateDevice(DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_UNKNOWN,
FALSE,
&devObject);
if (!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice failed %X\n", status);
return status;
}
status = IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);
if (!NT_SUCCESS(status))
{
DbgPrint("IoCreateSymbolicLink failed %X\n", status);
return status;
}
g_fsFilterDriverObject = DriverObject;
status = PsSetCreateProcessNotifyRoutine(createProcessNotifyRoutine, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrint("PsSetCreateProcessNotifyRoutine failed %X\n", status);
return status;
}
else
{
DbgPrint("PsSetCreateProcessNotifyRoutine success %X\n", status);
}
status = FltRegisterFilter(DriverObject,
&FilterRegistration,
&g_data.Filter);
if (!NT_SUCCESS(status))
{
DbgPrint("FltRegisterFilter failed %X", status);
return status;
}
status = FltStartFiltering(g_data.Filter);
if (!NT_SUCCESS(status))
{
FltUnregisterFilter(g_data.Filter);
return status;
}
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i)
{
DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_READ] = FsFilterDispatchRead;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = FsFilterDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FsFilterDispatchIOControl;
DriverObject->FastIoDispatch = &g_fastIoDispatch;
status = IoRegisterFsRegistrationChange(DriverObject, FsFilterNotificationCallback);
if (!NT_SUCCESS(status))
{
return status;
}
DriverObject->DriverUnload = FsFilterUnload;
return STATUS_SUCCESS;
}`
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Writing WDF Drivers | 12 September 2022 | Live, Online |
| Internals & Software Drivers | 23 October 2022 | Live, Online |
| Kernel Debugging | 14 November 2022 | Live, Online |
| Developing Minifilters | 5 December 2022 | Live, Online |
Comments
processing callbacks for minifilters, but instead bypasses all that by
using your own WDM dispatch routines. Why?
Try using one of the sample minifilters on github as a starting point.
Mark Roddy
What samples of minifilters do you mean?
I took apriorit driver for start and added some callbacks. It works well except open device.
I need to configure from user mode.
It seems problem in FsFilterDispatchCreate. When it receives it's file name it handles it i the same way but has to handle in the way like that. Am I right?
` Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
`
Thank you, Mark. It seems I understand my mistake. I'll go on.
Start there.
Mark Roddy
And for GOODNESS sakes, next time post in the right category.
Hint: This is the wrong category.
Peter
Peter Viscarola
OSR
@OSRDrivers
So, I looked into samples and see that communication with user mode has to be implemented via FltCreateCommunicationPort but not dispach IRP_MJ_CREATE . Is it correct?
Moving to NTFSD where this belongs.
Peter
Peter Viscarola
OSR
@OSRDrivers
I'm not sure I understand the question...But, if you're looking for a way to communicate between a user mode application/service and your filter then a Communication Port is a good choice.
-scott
OSR