In my mini-filter I need to lock a file previously opened with FltCreateFile and just want make sure I’m doing it properly. I need this to work on Windows 2003 and 2008 so it would appear a simple call to ZwLockFile is not going to work.
From what I’ve gleaned from the docs and searching the forum (mostly www.osronline.com/ShowThread.cfm?link=145416), looks like I have to 1) roll my own IRP, but it was unclear to me whether 2) generating a callback data struct and calling FltPerformSynchronousIo might also work on 2003/2008.
You will have to roll your own IRP, since unfortunately
FltPerformSynchronousIo is dumb enough to operate on a subset of the
requests that could be handled and the subset is a subset of those calls
that FltXXX support themselves. Be aware that you are bypassing the
rest of the mini-filter stack, and in general heading into areas that
are discouraged.
It is requirements like this that cause me to tell people there is still
reasons to develop new legacy file filters. Unfortunately Microsoft
does not seem inclined to back port the capabilities to the mini-filters
for older OS’es.
-----Original Message-----
From: xxxxx@yahoo.com [mailto:xxxxx@yahoo.com]
Posted At: Wednesday, July 21, 2010 4:17 PM
Posted To: ntfsd
Conversation: Correct/Easiest way to lock file in FS mini-filter
Subject: Correct/Easiest way to lock file in FS mini-filter
In my mini-filter I need to lock a file previously opened with
FltCreateFile
and just want make sure I’m doing it properly. I need this to work on
Windows
2003 and 2008 so it would appear a simple call to ZwLockFile is not
going to
work.
From what I’ve gleaned from the docs and searching the forum (mostly www.osronline.com/ShowThread.cfm?link=145416), looks like I have to 1)
roll my
own IRP, but it was unclear to me whether 2) generating a callback
data struct
and calling FltPerformSynchronousIo might also work on 2003/2008.
Which is the best way to go, 1 or 2?
Thanks.
__________ Information from ESET Smart Security, version of virus
signature
database 5299 (20100721) __________
I’m not sure that rolling your own IRP would necessarily bypass the rest of
the minifilter stack if the request is a for a file that was opened by the
minifilter using FltCreateFile (like the OP indicates). If targeted properly
(by that I mean at the DEVICE_OBJECT where the minifilter is rather than at
the next device), I think that filter manager should be able to pick up its
targeting information for the FILE_OBJECT and show it to the right
minifilters.
Trust me, the next driver that see’s your IRP is not going to be
anything with a mini-filter. Been there done that, and had to tell a
customer at least once to scrap the minifilter.
-----Original Message-----
From: Alex Carp [mailto:xxxxx@gmail.com]
Posted At: Wednesday, July 21, 2010 4:59 PM
Posted To: ntfsd
Conversation: Correct/Easiest way to lock file in FS mini-filter
Subject: RE: Correct/Easiest way to lock file in FS mini-filter
Hi Don,
I’m not sure that rolling your own IRP would necessarily bypass the
rest of
the minifilter stack if the request is a for a file that was opened by
the
minifilter using FltCreateFile (like the OP indicates). If targeted
properly
(by that I mean at the DEVICE_OBJECT where the minifilter is rather
than at
the next device), I think that filter manager should be able to pick
up its
targeting information for the FILE_OBJECT and show it to the right
minifilters.
Have you tried that and found it didn’t work ?
Thanks,
Alex.
__________ Information from ESET Smart Security, version of virus
signature
database 5299 (20100721) __________
Thanks for the info guys. I figured I’d probably have to do this the hard way. Any more my so-called “mini-filter” looks more and more like a full blown old-school NT driver. Probably would have been better off just writing a legacy filter.
If you don’t mind my asking, are you saying that *all* filter rolled IRPs will not be seen by filters on the stack to which the IRP is being dispatched to? Or just IRP_MJ_LOCKCONTROL? I only ask because it sounds like you’ve researched this, and for whatever reason I can’t seem to find any of your related posts on this topic.
Just so we’re on the same page, consider the following pseudocode:
// Open file.
PFILE_OBJECT pFileObject;
FltCreateFileEx( …, &pFileObject,…)
// Fetch top of device stack for this file.
DeviceObject = IoGetRelatedDeviceObject( pFileObject );
.
.
rp = IoAllocateIrp();
.
. // populate IRP members and dispatch to device stack.
.
IoCallDriver( DeviceObject, Irp );
Why wouldn’t any mini filters on the stack for pFileObject receive this IRP?