Am i starting correctly?

OSR_Community_User · July 29, 2009, 11:19pm

Hello all from the community,

I have just started programming some FSFD, and i have no clue how to go
further from here. below is my first program

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING
pRegistryPath)
{
NTSTATUS NtStatus = STATUS_SUCCESS;
UINT uiIndex = 0;
PDEVICE_OBJECT pDeviceObject = NULL, pFilteredDevice = NULL;
UNICODE_STRING usDriverName, usDosDeviceName;
PEXAMPLE_DEVICE_CONTEXT pExampleDeviceContext = NULL;
PEXAMPLE_FILTER_EXTENSION pMyFilterDeviceContext;
PIO_STACK_LOCATION pIoStackIrp = NULL;

RtlInitUnicodeString(&Global_sz_Drv_RegInfo, pRegistryPath->Buffer);

DbgPrint(“DriverEntry IN \r\n”);

RtlInitUnicodeString(&usDriverName,
L"\FileSystem\Filters\MyEDfilterCDO");
RtlInitUnicodeString(&usDosDeviceName, L"\DosDevices\MyEDfilter");

NtStatus = IoCreateDevice(pDriverObject, sizeof(EXAMPLE_DEVICE_CONTEXT),
&usDriverName, FILE_DEVICE_DISK_FILE_SYSTEM | FILE_DEVICE_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN, FALSE,
&pDeviceObject);

if(NtStatus == STATUS_SUCCESS)
{
for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
pDriverObject->MajorFunction[uiIndex] =
MyEDFilter_UnSupportedFunction;

DbgPrint(“MyEDFilter_UnSupportedFunction--------%d \r\n”,uiIndex);

DbgPrint(“DriverEntry IRP_MJ_CREATE \r\n”);
pDriverObject->MajorFunction[IRP_MJ_CREATE] =
MyEDfilter_Create;
DbgPrint(“DriverEntry IRP_MJ_DEVICE_CONTROL \r\n”);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
MyEDfilter_IoControl;
DbgPrint(“DriverEntry IRP_MJ_INTERNAL_DEVICE_CONTROL \r\n”);
pDriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] =
MyEDfilter_DispatchDeviceControl;
DbgPrint(“DriverEntry IRP_MJ_READ \r\n”);
pDriverObject->MajorFunction[IRP_MJ_READ] =
MyEDfilter_Read;
DbgPrint(“DriverEntry IRP_MJ_WRITE \r\n”);
pDriverObject->MajorFunction[IRP_MJ_WRITE] =
MyEDfilter_Write;
DbgPrint(“DriverEntry DriverUnload \r\n”);
pDriverObject->DriverUnload = DriverUnload;

pExampleDeviceContext =
(PEXAMPLE_DEVICE_CONTEXT)pDeviceObject->DeviceExtension;
pMyFilterDeviceContext =
(PEXAMPLE_FILTER_EXTENSION)pDeviceObject->DeviceExtension;

//KeInitializeMutex(&pExampleDeviceContext->kListMutex, 0);
pExampleDeviceContext->pExampleList = NULL;
pDeviceObject->Flags |= IO_TYPE;

}

DbgPrint(“DriverEntry Out \r\n”);
return NtStatus;
}

NTSTATUS MyEDfilter_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS NtStatus = STATUS_SUCCESS;
DbgPrint(“MyEDfilter_Write Called \r\n”);

return NtStatus;
}

NTSTATUS MyEDfilter_Read(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS NtStatus = STATUS_BUFFER_TOO_SMALL;
PEXAMPLE_FILTER_EXTENSION pMyFilterDeviceContext =
(PEXAMPLE_FILTER_EXTENSION)DeviceObject->DeviceExtension;
PIO_STACK_LOCATION pIoStackIrp = NULL;

DbgPrint(“MyEDfilter_Read Called \r\n”);

pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp, (PIO_COMPLETION_ROUTINE)
MyFilter_CompletionRoutine, NULL, TRUE, TRUE, TRUE);

NtStatus = IoCallDriver(pMyFilterDeviceContext->pNextDeviceInChain,
Irp);

Irp->IoStatus.Status = NtStatus;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

DbgPrint(“MyEDfilter_Read Exit 0x%0x \r\n”, NtStatus);

return NtStatus;
}

NTSTATUS MyEDfilter_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION p_IO_STK;
PDEVICE_EXTENSION p_DVCEXT;
NTSTATUS status;

DbgPrint(“MyEDfilter_Create : Start\r\n”);
p_IO_STK = IoGetCurrentIrpStackLocation(Irp);
p_DVCEXT = DeviceObject->DeviceExtension;
status = IoAcquireRemoveLock(&p_DVCEXT->RemoveLock,
p_IO_STK->FileObject);
if (NT_SUCCESS(status))
{
CompleteRequest(Irp, STATUS_SUCCESS, 0);
return STATUS_SUCCESS;
}
else
{
IoReleaseRemoveLock(&p_DVCEXT->RemoveLock, p_IO_STK->FileObject);
CompleteRequest(Irp, status, 0);
return status;
}
DbgPrint(“MyEDfilter_Create: End\r\n”);
}

Here i am just trying to get print messages, so that i could find out
control is flowing through these functions. to test this i am using
dbgviewer as debugger and created small user program who reads the file from
disk with “CreateFile”, “ReadFile” and “WriteFile” api.
But my problem is i can get the messages when i start the service from user
program, the messages before all “IRP_MJ” but i could’nt get the messages
which are in the functions “MyEDfilter_Create”, “MyEDfilter_Read” and
“MyEDfilter_Write”. So here i am slightly confused and stuck, and obviously
dont know what to do and how to move further?

Please any suggestions and guidence
Thanking before for all replies.
Do reply soon

Rob · July 29, 2009, 11:36pm

Regarding MyEDfilter_Create, your code returns prior to executing the DbgPrint

OSR_Community_User · July 29, 2009, 11:43pm

yes, i mean why where is wrong, how to correct?
i can get all dbgprint from driverentry() but it does’nt got to any of other
function while testing through user program.

On Thu, Jul 30, 2009 at 11:36 AM, wrote:

> Regarding MyEDfilter_Create, your code returns prior to executing the
> DbgPrint
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · July 29, 2009, 11:57pm

Are you using the correct device name in the user mode,
check device tree for the device name and make sure you using the correct
one.

Dennis scott

On Thu, Jul 30, 2009 at 9:12 AM, mannu jam wrote:

> yes, i mean why where is wrong, how to correct?
> i can get all dbgprint from driverentry() but it does’nt got to any of
> other function while testing through user program.
>
>
>
> On Thu, Jul 30, 2009 at 11:36 AM, wrote:
>
>> Regarding MyEDfilter_Create, your code returns prior to executing the
>> DbgPrint
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · July 30, 2009, 1:56am

I have changed
RtlInitUnicodeString(&usDosDeviceName, L"\DosDevices\MyEDfilter");

to

RtlInitUnicodeString(&usDosDeviceName, L"\FileSystem\MyEDfilter");

this is somewhat similar to sfilter program in DDK.
I guess the filter which i am trying to create is attaching to File System
driver.

On Thu, Jul 30, 2009 at 11:57 AM, Dennis Scott
wrote:

> Are you using the correct device name in the user mode,
> check device tree for the device name and make sure you using the correct
> one.
>
> Dennis scott
>
> On Thu, Jul 30, 2009 at 9:12 AM, mannu jam wrote:
>
>> yes, i mean why where is wrong, how to correct?
>> i can get all dbgprint from driverentry() but it does’nt got to any of
>> other function while testing through user program.
>>
>>
>>
>> On Thu, Jul 30, 2009 at 11:36 AM, wrote:
>>
>>> Regarding MyEDfilter_Create, your code returns prior to executing the
>>> DbgPrint
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · July 30, 2009, 1:57am

Still the same can get messages from DriverEntry() but not from read/ write
and create functions…

On Thu, Jul 30, 2009 at 1:55 PM, mannu jam wrote:

> I have changed
> RtlInitUnicodeString(&usDosDeviceName, L"\DosDevices\MyEDfilter");
>
> to
>
> RtlInitUnicodeString(&usDosDeviceName, L"\FileSystem\MyEDfilter");
>
> this is somewhat similar to sfilter program in DDK.
> I guess the filter which i am trying to create is attaching to File System
> driver.
>
>
>
>
>
>
> On Thu, Jul 30, 2009 at 11:57 AM, Dennis Scott <
> xxxxx@allaboutif.com> wrote:
>
>> Are you using the correct device name in the user mode,
>> check device tree for the device name and make sure you using the correct
>> one.
>>
>> Dennis scott
>>
>> On Thu, Jul 30, 2009 at 9:12 AM, mannu jam wrote:
>>
>>> yes, i mean why where is wrong, how to correct?
>>> i can get all dbgprint from driverentry() but it does’nt got to any of
>>> other function while testing through user program.
>>>
>>>
>>>
>>> On Thu, Jul 30, 2009 at 11:36 AM, wrote:
>>>
>>>> Regarding MyEDfilter_Create, your code returns prior to executing the
>>>> DbgPrint
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>

Don_Burn_1 · July 30, 2009, 7:50am

Some observations:

You are obviously new to windows driver development, you so know now
that a file system filter is one of the harder things to do, and is a
terrible way to start kernel programming. Consider stepping back and doing
a simple driver or two, to learn the basics. These drivers can be pure
software devices to explore kernel programming.
Why in the world are you developing a file system filter driver with
the legacy model. Microsoft has the mini-filter model that will cover OS’es
from 2000 with the correct service packs. You are adding a lot of work for
no gain using the legacy model. There are a few reasons to use a legacy
filter, but they are rare and you need to be an expert to know when to go
there.
If you really want to do file system work, then once you are there you
should be asking this stuff on NTFSD.

You need to take some time and learn the basics, before you try what you are
doing.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mannu jam” wrote in message news:xxxxx@ntdev…
> Hello all from the community,
>
> I have just started programming some FSFD, and i have no clue how to go
> further from here. below is my first program
>
>
> NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING
> pRegistryPath)
> {
> NTSTATUS NtStatus = STATUS_SUCCESS;
> UINT uiIndex = 0;
> PDEVICE_OBJECT pDeviceObject = NULL, pFilteredDevice = NULL;
> UNICODE_STRING usDriverName, usDosDeviceName;
> PEXAMPLE_DEVICE_CONTEXT pExampleDeviceContext = NULL;
> PEXAMPLE_FILTER_EXTENSION pMyFilterDeviceContext;
> PIO_STACK_LOCATION pIoStackIrp = NULL;
>
> RtlInitUnicodeString(&Global_sz_Drv_RegInfo, pRegistryPath->Buffer);
>
> DbgPrint(“DriverEntry IN \r\n”);
>
> RtlInitUnicodeString(&usDriverName,
> L"\FileSystem\Filters\MyEDfilterCDO");
> RtlInitUnicodeString(&usDosDeviceName, L"\DosDevices\MyEDfilter");
>
> NtStatus = IoCreateDevice(pDriverObject,
> sizeof(EXAMPLE_DEVICE_CONTEXT),
> &usDriverName, FILE_DEVICE_DISK_FILE_SYSTEM | FILE_DEVICE_FILE_SYSTEM,
> FILE_DEVICE_SECURE_OPEN, FALSE,
> &pDeviceObject);
>
> if(NtStatus == STATUS_SUCCESS)
> {
> for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
> pDriverObject->MajorFunction[uiIndex] =
> MyEDFilter_UnSupportedFunction;
>
> DbgPrint(“MyEDFilter_UnSupportedFunction--------%d \r\n”,uiIndex);
>
> DbgPrint(“DriverEntry IRP_MJ_CREATE \r\n”);
> pDriverObject->MajorFunction[IRP_MJ_CREATE]
> =
> MyEDfilter_Create;
> DbgPrint(“DriverEntry IRP_MJ_DEVICE_CONTROL \r\n”);
> pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]
> =
> MyEDfilter_IoControl;
> DbgPrint(“DriverEntry IRP_MJ_INTERNAL_DEVICE_CONTROL \r\n”);
> pDriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] =
> MyEDfilter_DispatchDeviceControl;
> DbgPrint(“DriverEntry IRP_MJ_READ \r\n”);
> pDriverObject->MajorFunction[IRP_MJ_READ] =
> MyEDfilter_Read;
> DbgPrint(“DriverEntry IRP_MJ_WRITE \r\n”);
> pDriverObject->MajorFunction[IRP_MJ_WRITE] =
> MyEDfilter_Write;
> DbgPrint(“DriverEntry DriverUnload \r\n”);
> pDriverObject->DriverUnload = DriverUnload;
>
> pExampleDeviceContext =
> (PEXAMPLE_DEVICE_CONTEXT)pDeviceObject->DeviceExtension;
> pMyFilterDeviceContext =
> (PEXAMPLE_FILTER_EXTENSION)pDeviceObject->DeviceExtension;
>
> //KeInitializeMutex(&pExampleDeviceContext->kListMutex, 0);
> pExampleDeviceContext->pExampleList = NULL;
> pDeviceObject->Flags |= IO_TYPE;
>
>
> }
>
> DbgPrint(“DriverEntry Out \r\n”);
> return NtStatus;
> }
>
> NTSTATUS MyEDfilter_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp)
> {
> NTSTATUS NtStatus = STATUS_SUCCESS;
> DbgPrint(“MyEDfilter_Write Called \r\n”);
>
> return NtStatus;
> }
>
> NTSTATUS MyEDfilter_Read(PDEVICE_OBJECT DeviceObject, PIRP Irp)
> {
> NTSTATUS NtStatus = STATUS_BUFFER_TOO_SMALL;
> PEXAMPLE_FILTER_EXTENSION pMyFilterDeviceContext =
> (PEXAMPLE_FILTER_EXTENSION)DeviceObject->DeviceExtension;
> PIO_STACK_LOCATION pIoStackIrp = NULL;
>
> DbgPrint(“MyEDfilter_Read Called \r\n”);
>
> pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
> IoCopyCurrentIrpStackLocationToNext(Irp);
> IoSetCompletionRoutine(Irp, (PIO_COMPLETION_ROUTINE)
> MyFilter_CompletionRoutine, NULL, TRUE, TRUE, TRUE);
>
> NtStatus = IoCallDriver(pMyFilterDeviceContext->pNextDeviceInChain,
> Irp);
>
> Irp->IoStatus.Status = NtStatus;
> IoCompleteRequest(Irp, IO_NO_INCREMENT);
>
> DbgPrint(“MyEDfilter_Read Exit 0x%0x \r\n”, NtStatus);
>
> return NtStatus;
> }
>
> NTSTATUS MyEDfilter_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
> {
> PIO_STACK_LOCATION p_IO_STK;
> PDEVICE_EXTENSION p_DVCEXT;
> NTSTATUS status;
>
> DbgPrint(“MyEDfilter_Create : Start\r\n”);
> p_IO_STK = IoGetCurrentIrpStackLocation(Irp);
> p_DVCEXT = DeviceObject->DeviceExtension;
> status = IoAcquireRemoveLock(&p_DVCEXT->RemoveLock,
> p_IO_STK->FileObject);
> if (NT_SUCCESS(status))
> {
> CompleteRequest(Irp, STATUS_SUCCESS, 0);
> return STATUS_SUCCESS;
> }
> else
> {
> IoReleaseRemoveLock(&p_DVCEXT->RemoveLock, p_IO_STK->FileObject);
> CompleteRequest(Irp, status, 0);
> return status;
> }
> DbgPrint(“MyEDfilter_Create: End\r\n”);
> }
>
>
>
>
> Here i am just trying to get print messages, so that i could find out
> control is flowing through these functions. to test this i am using
> dbgviewer as debugger and created small user program who reads the file
> from
> disk with “CreateFile”, “ReadFile” and “WriteFile” api.
> But my problem is i can get the messages when i start the service from
> user
> program, the messages before all “IRP_MJ” but i could’nt get the messages
> which are in the functions “MyEDfilter_Create”, “MyEDfilter_Read” and
> “MyEDfilter_Write”. So here i am slightly confused and stuck, and
> obviously
> dont know what to do and how to move further?
>
> Please any suggestions and guidence
> Thanking before for all replies.
> Do reply soon
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4290 (20090730)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4290 (20090730)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com