Can't logon workstation after enabling file read during IRP_MJ_CREATE

OSR_Community_User · July 17, 2003, 9:30pm

BlankHi,

My filter will read file content during the the MJ_CREATE, only when this
creation return successfully from lower driver. After the iocalldriver
returned,sending a new IRP built with IoBuildSynchronousFsdRequest will
cause the winlogon report the domain(actually the local machine) can’t be
accessed. If the internal routine InternalReadFile is simply skipped ,
everything is ok.

What’s wrong with the winlogon? At this time, my filter hooks all files’
creations.

Appreciate for any advise,

Xinwei

NTSTATUS
InternalReadFile(
IN PDEVICE_OBJECT DeviceObject,
IN PFILE_OBJECT FileObject,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER StartingOffset
)
{
PIRP irpRead;
KEVENT syncevent;
NTSTATUS status;
IO_STATUS_BLOCK iostatus;
PIO_STACK_LOCATION pIrpStackNext ;
PDEVICE_OBJECT pLowerDriver;

pLowerDriver =
((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject;

RtlZeroMemory( &iostatus, sizeof( iostatus ) );

KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );

irpRead = IoBuildSynchronousFsdRequest(
IRP_MJ_READ,
pLowerDriver,
Buffer ,
Length ,
StartingOffset ,
&syncevent,
&iostatus);

if( irpRead ){

pIrpStackNext = IoGetNextIrpStackLocation( irpRead );

pIrpStackNext->FileObject = FileObject;

status = IoCallDriver( pLowerDriver, irpRead );

if( STATUS_PENDING == status ){

KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
status = iostatus.Status;
}
}else{
status = STATUS_INSUFFICIENT_RESOURCES;
}

return status ;
}

OSR_Community_User · July 18, 2003, 6:34am

More info about this error:

Some creations will return STATUS_SHARING_VIOLATION, and there are also some
creations failed with STATUS_NO_SUCH_LOGON_SESSION error.

Does the internal read operation hold reference of the file object?

Thanks in advanced.

Hi,

My filter will read file content during the the MJ_CREATE, only when this
creation return successfully from lower driver. After the iocalldriver
returned,sending a new IRP built with IoBuildSynchronousFsdRequest will
cause the winlogon report the domain(actually the local machine) can’t be
accessed. If the internal routine InternalReadFile is simply skipped ,
everything is ok.

What’s wrong with the winlogon? At this time, my filter hooks all files’
creations.

Appreciate for any advise,

Xinwei

NTSTATUS
InternalReadFile(
IN PDEVICE_OBJECT DeviceObject,
IN PFILE_OBJECT FileObject,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER StartingOffset
)
{
PIRP irpRead;
KEVENT syncevent;
NTSTATUS status;
IO_STATUS_BLOCK iostatus;
PIO_STACK_LOCATION pIrpStackNext ;
PDEVICE_OBJECT pLowerDriver;

pLowerDriver =
((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject;

RtlZeroMemory( &iostatus, sizeof( iostatus ) );

KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );

irpRead = IoBuildSynchronousFsdRequest(
IRP_MJ_READ,
pLowerDriver,
Buffer ,
Length ,
StartingOffset ,
&syncevent,
&iostatus);

if( irpRead ){

pIrpStackNext = IoGetNextIrpStackLocation( irpRead );

pIrpStackNext->FileObject = FileObject;

status = IoCallDriver( pLowerDriver, irpRead );

if( STATUS_PENDING == status ){

KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
status = iostatus.Status;
}
}else{
status = STATUS_INSUFFICIENT_RESOURCES;
}

return status ;
}

Petr_Borsodi · July 21, 2003, 3:09am

Hi SXW,

Are you filtering network redirector (Lanman) ?

If yes, you cannot read from special files - <server>\PIPE\xxx, …,
<server>\IPC$ and so on,
Such reads violates protocols between server and client.

Petr Borsodi

“SXW” p¨ª?e v diskusn¨ªm p?¨ªsp¨§vku
news:xxxxx@ntfsd…
>
> BlankHi,
>
> My filter will read file content during the the MJ_CREATE, only when this
> creation return successfully from lower driver. After the iocalldriver
> returned,sending a new IRP built with IoBuildSynchronousFsdRequest will
> cause the winlogon report the domain(actually the local machine) can’t be
> accessed. If the internal routine InternalReadFile is simply skipped ,
> everything is ok.
>
> What’s wrong with the winlogon? At this time, my filter hooks all files’
> creations.
>
> Appreciate for any advise,
>
> Xinwei
>
>
>
> NTSTATUS
> InternalReadFile(
> IN PDEVICE_OBJECT DeviceObject,
> IN PFILE_OBJECT FileObject,
> OUT PVOID Buffer,
> IN ULONG Length,
> IN PLARGE_INTEGER StartingOffset
> )
> {
> PIRP irpRead;
> KEVENT syncevent;
> NTSTATUS status;
> IO_STATUS_BLOCK iostatus;
> PIO_STACK_LOCATION pIrpStackNext ;
> PDEVICE_OBJECT pLowerDriver;
>
> pLowerDriver =
> ((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject;
>
> RtlZeroMemory( &iostatus, sizeof( iostatus ) );
>
> KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );
>
> irpRead = IoBuildSynchronousFsdRequest(
> IRP_MJ_READ,
> pLowerDriver,
> Buffer ,
> Length ,
> StartingOffset ,
> &syncevent,
> &iostatus);
>
> if( irpRead ){
>
> pIrpStackNext = IoGetNextIrpStackLocation( irpRead );
>
> pIrpStackNext->FileObject = FileObject;
>
> status = IoCallDriver( pLowerDriver, irpRead );
>
> if( STATUS_PENDING == status ){
>
> KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
> status = iostatus.Status;
> }
> }else{
> status = STATUS_INSUFFICIENT_RESOURCES;
> }
>
> return status ;
> }
>
>
>
>