Hi,
I have a question about attaching to another driver; my goal is to attach to an existing volume, such as C:, and monitor all the IRP_MJ_READ and IRP_MJ_CREATE IRPs.
Probably I am not getting the correct handle of C:\ (I am using “\DosDevices\C:\”),
because my driver crashes when IoAttachDeviceToDeviceStack is called.
Below is a part of the code which is supposed to be doing the actual attachment, so that
you can see how I am trying to achieve the functionality.
//attaches to DeviceName, such as "\\DosDevices\\C:\\"
PDEVICE_OBJECT AttachToDevice(IN PUNICODE_STRING DeviceName, IN
PDEVICE_OBJECT SourceDeviceObject)
{
//target = the driver below
//source = myself
//attachedTo = the resulting object
NTSTATUS status;
PFILE_OBJECT TargetFileObject;
PDEVICE_OBJECT TargetDeviceObject;
PDEVICE_OBJECT AttachedToDeviceObject;
DbgPrint("CALL AttachToDevice\n");
KdBreakPoint();
status=IoGetDeviceObjectPointer(DeviceName,
FILE_READ_ATTRIBUTES, //FILE_ALL_ACCESS,
&TargetFileObject,
&TargetDeviceObject);
if (!NT_SUCCESS(status))
{
//DbgPrint("FAIL AttachToDevice::IoGetDeviceObjectPointer
%S\n", DeviceName);
//returns further
}
else //pointer obtained, attach to device
{
AttachedToDeviceObject=IoAttachDeviceToDeviceStack(SourceDeviceObject,
TargetDeviceObject);
ASSERTMSG("Could not attach to target",
AttachedToDeviceObject != NULL);
if (AttachedToDeviceObject==NULL)
{
DbgPrint("FAIL AttachToDevice\n");
}
DbgPrint("SUCCESS AttachToDevice\n");
return AttachedToDeviceObject;
}
return NULL;
}
Can someone point out the cause of the problem?
Hi!
What you need is a pointer to the filesystem device object: ZwCreateFile ->
ObReferenceObjectByHandle -> IoGetBaseFileSystemDeviceObject
Search the WDK-fsfilter-samples for the word “SpyIsAttachedToDeviceByName”
to see how to do that. Consider to make a Mini-Filter.
Good luck
Frank
wrote news:xxxxx@ntfsd…
> Hi,
>
> I have a question about attaching to another driver; my goal is to attach
> to an existing volume, such as C:, and monitor all the IRP_MJ_READ and
> IRP_MJ_CREATE IRPs.
>
> Probably I am not getting the correct handle of C:\ (I am using
> “\DosDevices\C:\”),
> because my driver crashes when IoAttachDeviceToDeviceStack is called.
>
> Below is a part of the code which is supposed to be doing the actual
> attachment, so that
> you can see how I am trying to achieve the functionality.
>
> <br>><br>> //attaches to DeviceName, such as "\\DosDevices\\C:\\"<br>> PDEVICE_OBJECT AttachToDevice(IN PUNICODE_STRING DeviceName, IN<br>> PDEVICE_OBJECT SourceDeviceObject)<br>> {<br>> //target = the driver below<br>> //source = myself<br>> //attachedTo = the resulting object<br>><br>> NTSTATUS status;<br>> PFILE_OBJECT TargetFileObject;<br>> PDEVICE_OBJECT TargetDeviceObject;<br>> PDEVICE_OBJECT AttachedToDeviceObject;<br>><br>> DbgPrint("CALL AttachToDevice\n");<br>> KdBreakPoint();<br>><br>> status=IoGetDeviceObjectPointer(DeviceName,<br>> FILE_READ_ATTRIBUTES, //FILE_ALL_ACCESS,<br>> &TargetFileObject,<br>> &TargetDeviceObject);<br>><br>> if (!NT_SUCCESS(status))<br>> {<br>> //DbgPrint("FAIL AttachToDevice::IoGetDeviceObjectPointer<br>> %S\n", DeviceName);<br>> //returns further<br>> }<br>> else //pointer obtained, attach to device<br>> {<br>><br>> AttachedToDeviceObject=IoAttachDeviceToDeviceStack(SourceDeviceObject,<br>> TargetDeviceObject);<br>><br>> ASSERTMSG("Could not attach to target",<br>> AttachedToDeviceObject != NULL);<br>> if (AttachedToDeviceObject==NULL)<br>> {<br>> DbgPrint("FAIL AttachToDevice\n");<br>><br>> }<br>><br>> DbgPrint("SUCCESS AttachToDevice\n");<br>> return AttachedToDeviceObject;<br>> }<br>><br>> return NULL;<br>> }<br>>
>
>
> Can someone point out the cause of the problem?
>