Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Filter driver. Pre read callback wrong data size information

TuxfordTuxford Member Posts: 9

I tried to hook copy file data using pre/post filter callbacks. When it hooks IRP_MJ_READ and IRP_MJ_WRITE. I see strange output. On read data size is wrong but on write data size is correct. I didn't try to check content yet.

Other thing. I see that post callback isn't called after pre callback. Is it ok?

DbgView output.

Sequence time operation pid size/opts filename
00007839 117.25965881 FilePreCreate 1576 1200044 \;VBoxMiniRdr\;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007840 117.26058197 FilePostCreate 1576 1200044 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007841 117.26132202 FilePreCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007844 117.26177216 FilePostCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007846 117.26379395 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007847 117.26388550 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007848 117.26531982 FilePostRead 1576 131072
00007849 117.26658630 FilePostRead 1576 131072 ** !!! Not correct. correct size 130274**
00007850 117.26786804 FilePreWrite 1576 131072 \tmp\disasm-lib\disasm_x86_tables.h
00007851 117.26795197 FilePostWrite 1576 131072
00007852 117.26919556 FilePreWrite 1576 130274 \tmp\disasm-lib\disasm_x86_tables.h
00007853 117.26924896 FilePostWrite 1576 130274
00007855 117.27242279 FPreClose 1576 - \tmp\disasm-lib\disasm_x86_tables.h
00007856 117.27261353 FPreClose 1576 - \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE