IRP_MJ_READ from File System Mini Filter

samalexander620 · March 17, 2021, 5:59am

I am developing a file system mini filter driver, where I try to read a file by allocating/sending an IRP with major function IRP_MJ_READ.
But, IoCallDriver fails with status = STATUS_INVALID_USER_BUFFER (0XC00000E8). Below are the setup details & steps.

Setup Details

OS : Windows 10 20h1
WDk SDK : Vs 2019 with 10.0.19041
Filter LoadOrderGroup : FSFilter Encryption
Altitude : 141000

Steps in sending IRP

IoCreateFileSpecifyDeviceObjectHint - Send a create request for the file
ObReferenceObjectByHandle - Get FILE_OBJECT for the file.
FltGetVolumeFromFileObject - Get the Volume that a given file stream resides on
FltGetDeviceObject - Get pointer to the Filter Manager’s volume device
object (VDO) for a given volume
IoGetDeviceAttachmentBaseRef - Get the lowest-level device object in a file system driver stack.
IoAllocateIrp - Allocate IRP
IoSetCompletionRoutineEx - Set a completion routine.
IoCallDriver - Send the IRP to the lowest-level device object
obtained using IoGetDeviceAttachmentBaseRef)

Questions

Is it possible to read a file by sending IRP_MJ_READ (if we have a FILE_OBJECT )
FILE _OBJECT does not give the length of file. How can we get it?
What value we need to give “irpStack->Parameters.Read.Key”
What need to be done if the IocallDriver returns STATUS_INVALID_USER_BUFFER (0XC00000E8)

Please let me know your inputs

Thanks
Sam

rod_widdowson · March 17, 2021, 7:31am

It is ‘misguided’ to use any of the IoXXXX operations you are calling, they all have FltXXX homologs (or are not needed). Also what you are doing won’t work within the filter manager architecture (which is why there are Flt versions)

FltCreateFileEx(....) FltReadFile()

Dejan_Maksimovic · March 17, 2021, 11:25am

Oh, how lucky you are that you never needed to go out of FltXxx domain