A strange about Filemon!

OSR_Community_User · August 20, 2006, 12:47pm

Hi!

I have a problem about Filemon but it has much to do with the Windows internal!

In Filemon, the HookDrive gets the DO for a volume by the name \DosDevices\X:, X is the specific drive to be hooked. Why doesn’t it use the name \DosDevices\X: instead? Why a '' is appended?

By the way, I get the name of a newly mounted volume in control_dispatch routine, i.e, name of a volume on a flash disk, which is usually like \Device\Hraddisk1\DP(1)0-0+8. If I try to get the DO with this name, \Device\Hraddisk1\DP(1)0-0+8( this name is equal to \DosDevices\H:, H is the drive letter of the flash disk on my machine), a dead lock will surely occur. Why? Cann’t I attach to my filter DO to the newly mounted volume with the name of \Device\Hraddisk1\DP(1)0-0+8(or \DosDevices\H:) just as Filemon does?

In fact, I tried both the two names \Device\Hraddisk1\DP(1)0-0+8\ and \DosDevices\H:\ in the control_dispatch routine, but both lead to dead lock! Can I avoid dead lock. By the way, when the ZwCreateFile function call is executed, a dead lock occured!

Help needed!

Don_Burn_1 · August 20, 2006, 1:03pm

Well since you are basing your stuff on the Filemon code, you obviously paid
the licecnsing fee’s to Windows Internals. I would recomend you contact
them and get the answer.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntfsd…
> Hi!
>
> I have a problem about Filemon but it has much to do with the Windows
> internal!
>
> In Filemon, the HookDrive gets the DO for a volume by the name
> \DosDevices\X:, X is the specific drive to be hooked. Why doesn’t it use
> the name \DosDevices\X: instead? Why a '' is appended?
>
> By the way, I get the name of a newly mounted volume in control_dispatch
> routine, i.e, name of a volume on a flash disk, which is usually like
> \Device\Hraddisk1\DP(1)0-0+8. If I try to get the DO with this name,
> \Device\Hraddisk1\DP(1)0-0+8( this name is equal to \DosDevices\H:, H is
> the drive letter of the flash disk on my machine), a dead lock will surely
> occur. Why? Cann’t I attach to my filter DO to the newly mounted volume
> with the name of \Device\Hraddisk1\DP(1)0-0+8(or \DosDevices\H:) just
> as Filemon does?
>
> In fact, I tried both the two names \Device\Hraddisk1\DP(1)0-0+8\ and
> \DosDevices\H:\ in the control_dispatch routine, but both lead to dead
> lock! Can I avoid dead lock. By the way, when the ZwCreateFile function
> call is executed, a dead lock occured!
>
> Help needed!
>
>

Slava_Imameyev · August 20, 2006, 1:19pm

Hi,

Why doesn’t it use the name \DosDevices\X: instead? Why a '' is appended?

If FSD is mounted it does not matter that to open \DosDevices\X:\ or
\DosDevices\X:, because IoGetRelatedDeviceObject() returns the FSD’s device
object, but if the FSD is not mounted the opening of \DosDevices\X:\ force
the system to mount FSD.

By the way, when the ZwCreateFile function call is executed, a dead lock
occured!

Do you call ZwCreateFile from the IRP_MN_MOUNT_VOLUME handler?
If so, then this is a second reincarnation of the error which your did with
ObQueryNameString.
ZwCreateFile creates an IRP and sends it to the top of the drivers stack.
You driver is in the middle of the stack. Your create recursive entry and
deadlock.
Actually, during IRP_MN_MOUNT_VOLUME the system holds the lock and this
leads to different deadlock scenarios, search the list’s archive.

–
Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> Hi!
>
> I have a problem about Filemon but it has much to do with the Windows
> internal!
>
> In Filemon, the HookDrive gets the DO for a volume by the name
> \DosDevices\X:, X is the specific drive to be hooked. Why doesn’t it use
> the name \DosDevices\X: instead? Why a '' is appended?
>
> By the way, I get the name of a newly mounted volume in control_dispatch
> routine, i.e, name of a volume on a flash disk, which is usually like
> \Device\Hraddisk1\DP(1)0-0+8. If I try to get the DO with this name,
> \Device\Hraddisk1\DP(1)0-0+8( this name is equal to \DosDevices\H:, H is
> the drive letter of the flash disk on my machine), a dead lock will surely
> occur. Why? Cann’t I attach to my filter DO to the newly mounted volume
> with the name of \Device\Hraddisk1\DP(1)0-0+8(or \DosDevices\H:) just
> as Filemon does?
>
> In fact, I tried both the two names \Device\Hraddisk1\DP(1)0-0+8\ and
> \DosDevices\H:\ in the control_dispatch routine, but both lead to dead
> lock! Can I avoid dead lock. By the way, when the ZwCreateFile function
> call is executed, a dead lock occured!
>
> Help needed!
>
>

Slava_Imameyev · August 20, 2006, 1:23pm

BTW, I do not have Filemon’s code and do not want to load it. My answer
about \DosDevices\X:\ is only a guess.

–
Slava Imameyev, xxxxx@hotmail.com

“Slava Imameyev” wrote in message news:xxxxx@ntfsd…
> Hi,
>
>>Why doesn’t it use the name \DosDevices\X: instead? Why a '' is
>>appended?
>
> If FSD is mounted it does not matter that to open \DosDevices\X:\ or
> \DosDevices\X:, because IoGetRelatedDeviceObject() returns the FSD’s
> device object, but if the FSD is not mounted the opening of
> \DosDevices\X:\ force the system to mount FSD.
>
>> By the way, when the ZwCreateFile function call is executed, a dead lock
>> occured!
>
> Do you call ZwCreateFile from the IRP_MN_MOUNT_VOLUME handler?
> If so, then this is a second reincarnation of the error which your did
> with ObQueryNameString.
> ZwCreateFile creates an IRP and sends it to the top of the drivers stack.
> You driver is in the middle of the stack. Your create recursive entry and
> deadlock.
> Actually, during IRP_MN_MOUNT_VOLUME the system holds the lock and this
> leads to different deadlock scenarios, search the list’s archive.
>
> –
> Slava Imameyev, xxxxx@hotmail.com
>
>
> wrote in message news:xxxxx@ntfsd…
>> Hi!
>>
>> I have a problem about Filemon but it has much to do with the Windows
>> internal!
>>
>> In Filemon, the HookDrive gets the DO for a volume by the name
>> \DosDevices\X:, X is the specific drive to be hooked. Why doesn’t it
>> use the name \DosDevices\X: instead? Why a '' is appended?
>>
>> By the way, I get the name of a newly mounted volume in control_dispatch
>> routine, i.e, name of a volume on a flash disk, which is usually like
>> \Device\Hraddisk1\DP(1)0-0+8. If I try to get the DO with this name,
>> \Device\Hraddisk1\DP(1)0-0+8( this name is equal to \DosDevices\H:, H
>> is the drive letter of the flash disk on my machine), a dead lock will
>> surely occur. Why? Cann’t I attach to my filter DO to the newly mounted
>> volume with the name of \Device\Hraddisk1\DP(1)0-0+8(or
>> \DosDevices\H:) just as Filemon does?
>>
>> In fact, I tried both the two names \Device\Hraddisk1\DP(1)0-0+8\ and
>> \DosDevices\H:\ in the control_dispatch routine, but both lead to dead
>> lock! Can I avoid dead lock. By the way, when the ZwCreateFile function
>> call is executed, a dead lock occured!
>>
>> Help needed!
>>
>>
>
>
>

OSR_Community_User · August 22, 2006, 1:20am

Thanks a lot!
I seem to know why the dead lock occurs!