Hi, everybody!
i want to get the correct Vpb,.
the sfilter and filespy get the vpb when
IRP_MJ_FILE_SYSTEM_CONTROL/IRP_MN_MOUNT_VOLUME, the system will send the
correct vpb.
my questions as following:
- after all FSD loaded , i load my filter driver manually. my filter
driver will not receive IRP_MJ_FILE_SYSTEM_CONTROL/IRP_MN_MOUNT_VOLUME,
right? - if i can not receive IRP_MJ_FILE_SYSTEM_CONTROL, so How can i get the
Vpb correctly?
my method is: a) ZwCreateFile("C:",…) -> get filehandle
b} ObReferenceObjectByHandle(filehandle,…) -> get
fileobject
c)IoGetRelatedDeviceObject(fileobject,…) -> get
filedevobject
i want to use filedevobject->vpb, but the value of filedevobject->vpb is
NULL.
so i use fileobject->vpb, fileobject->vpb isn’t NULL, but when i use it to
get filedevobject->vpb->realdevice, the BSOD occurs.
so How can i get the correct VPB?
i hope some one can help me! thanks!