Creating a filter driver

Yosuke · June 14, 2005, 3:09pm

We are trying to make a WDM filter driver for Win XP that will intercept
read and write data from and into a disk drive.

What we did first was to try to make a Hock routine for IRP_MJ_READ creating
a new Irp as suggested somewhere in this list. The following example code
shows a sample function we are working on: A hock routine that
sweeps a new IRP(ipr2) in front of the original Irp passed by as
an argument.

we could not find an example code that gives us enough information
for implementing what we want to implement.

Our questions are:

Is there a good sample code available out there?
Our code shuts down the OS and makes it show a blue screen
with error messages:

Technical information
***stop: 0xC0000005, 0xF655ACE3, 0XF3D6AB0C, 0x00000000
Fastfat.sys Address F655ACE3 base at F655A000, Date stamp 3b7de38a

We cannot figure out how to set nextIrpStack. Could someone give us an
advice? also we are wondering if we need to handle the exit status
for the Irp passed by for such as pending, cancel, or normal status.
We very appreciate if someone could point problems out for us.

We are using DO_DIRECT_IO mode for the sample code.

Thanks in advance.

Yosuke

//----------------------------------------------------------------------
// DriverObject->MajorFunction[IRP_MJ_READ] = Hock2x2;
// Hock2x2
//
// This routine is the main hook routine for IRP_MJ_READ !
//
//----------------------------------------------------------------------
NTSTATUS
Hock2x2(
PDEVICE_OBJECT HookDevice,
IN PIRP Irp
)
{
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
PHOOK_EXTENSION hookExt;
NTSTATUS sts;
KEVENT event;
IO_STATUS_BLOCK iosb;
PDEVICE_OBJECT topOfStack;
PIRP irp2;
PUCHAR addr;
PUCHAR addr2;

currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
nextIrpStack = IoGetNextIrpStackLocation(Irp);
hookExt = HookDevice->DeviceExtension;
sts = STATUS_SEVERITY_ERROR;

if( hookExt->Hooked ) {
switch( currentIrpStack->MajorFunction ) {
case IRP_MJ_READ:

KeInitializeEvent(&event,
SynchronizationEvent/*NotificationEvent??*/, FALSE);
topOfStack = IoGetAttachedDeviceReference(HookDevice);

addr2 = ExAllocatePoolWithTag( NonPagedPool ,

currentIrpStack->Parameters.Read.Length,
‘tLcK’ );
if( addr2==NULL ) {
break;
}

irp2 = IoBuildSynchronousFsdRequest( IRP_MJ_READ,
topOfStack,
addr2,

currentIrpStack->Parameters.Read.Length,

&currentIrpStack->Parameters.Read.ByteOffset,
&event,
&iosb);

if( irp2==NULL ) {
break;
}

//currentIrpStack = IoGetCurrentIrpStackLocation(irp2);
*nextIrpStack = *currentIrpStack;

sts = IoCallDriver( hookExt->FileSystem, irp2 );
if( sts==STATUS_SUCCESS ) {
// DO_DIRECT_IO mode only !!!
addr = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
NormalPagePriority);
RtlCopyMemory( addr, addr2,
currentIrpStack->Parameters.Read.Length );
}

ExFreePool(addr2); // Free
addr2 = 0;
ObDereferenceObject(topOfStack); // Free
topOfStack = 0;

break;

default:
*nextIrpStack = *currentIrpStack;
sts = IoCallDriver( hookExt->FileSystem, Irp );
break;
}
}

return( sts );
}

David_J_Craig · June 14, 2005, 6:03pm

Wrong newsgroup. WDM belongs in ntdev or
microsoft.public.development.device.drivers. WDM is reserved for those
drivers that need 98 & ME compatibility. You just need a standard NT
driver. It must handle power and PnP as required by the stack you want to
intercept. You could be a lower filter to disk.sys or you can try filtering
the various mass storage stacks from SCSI, ATAPI, 1394, USB, iSCSI, etc.

“yamamoto yosuke” wrote in message news:xxxxx@ntfsd…
> We are trying to make a WDM filter driver for Win XP that will intercept
> read and write data from and into a disk drive.
>
> What we did first was to try to make a Hock routine for IRP_MJ_READ
> creating
> a new Irp as suggested somewhere in this list. The following example code
> shows a sample function we are working on: A hock routine that
> sweeps a new IRP(ipr2) in front of the original Irp passed by as
> an argument.
>
> we could not find an example code that gives us enough information
> for implementing what we want to implement.
>
> Our questions are:
>
> 1) Is there a good sample code available out there?
>
> 2) Our code shuts down the OS and makes it show a blue screen
> with error messages:
>
> Technical information
> ***stop: 0xC0000005, 0xF655ACE3, 0XF3D6AB0C, 0x00000000
> Fastfat.sys Address F655ACE3 base at F655A000, Date stamp 3b7de38a
>
> We cannot figure out how to set nextIrpStack. Could someone give us an
> advice? also we are wondering if we need to handle the exit status
> for the Irp passed by for such as pending, cancel, or normal status.
> We very appreciate if someone could point problems out for us.
>
> We are using DO_DIRECT_IO mode for the sample code.
>
> Thanks in advance.
>
> Yosuke
>
>
>
> //----------------------------------------------------------------------
> // DriverObject->MajorFunction[IRP_MJ_READ] = Hock2x2;
> // Hock2x2
> //
> // This routine is the main hook routine for IRP_MJ_READ !
> //
> //----------------------------------------------------------------------
> NTSTATUS
> Hock2x2(
> PDEVICE_OBJECT HookDevice,
> IN PIRP Irp
> )
> {
> PIO_STACK_LOCATION currentIrpStack;
> PIO_STACK_LOCATION nextIrpStack;
> PHOOK_EXTENSION hookExt;
> NTSTATUS sts;
> KEVENT event;
> IO_STATUS_BLOCK iosb;
> PDEVICE_OBJECT topOfStack;
> PIRP irp2;
> PUCHAR addr;
> PUCHAR addr2;
>
> currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
> nextIrpStack = IoGetNextIrpStackLocation(Irp);
> hookExt = HookDevice->DeviceExtension;
> sts = STATUS_SEVERITY_ERROR;
>
> if( hookExt->Hooked ) {
> switch( currentIrpStack->MajorFunction ) {
> case IRP_MJ_READ:
>
> KeInitializeEvent(&event,
> SynchronizationEvent/NotificationEvent??/, FALSE);
> topOfStack = IoGetAttachedDeviceReference(HookDevice);
>
> addr2 = ExAllocatePoolWithTag( NonPagedPool ,
>
> currentIrpStack->Parameters.Read.Length,
> ‘tLcK’ );
> if( addr2==NULL ) {
> break;
> }
>
> irp2 = IoBuildSynchronousFsdRequest( IRP_MJ_READ,
> topOfStack,
> addr2,
>
> currentIrpStack->Parameters.Read.Length,
>
> &currentIrpStack->Parameters.Read.ByteOffset,
> &event,
> &iosb);
>
> if( irp2==NULL ) {
> break;
> }
>
> //currentIrpStack = IoGetCurrentIrpStackLocation(irp2);
> *nextIrpStack = *currentIrpStack;
>
> sts = IoCallDriver( hookExt->FileSystem, irp2 );
> if( sts==STATUS_SUCCESS ) {
> // DO_DIRECT_IO mode only !!!
> addr = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
> NormalPagePriority);
> RtlCopyMemory( addr, addr2,
> currentIrpStack->Parameters.Read.Length );
> }
>
> ExFreePool(addr2); // Free
> addr2 = 0;
> ObDereferenceObject(topOfStack); // Free
> topOfStack = 0;
>
> break;
>
> default:
> *nextIrpStack = *currentIrpStack;
> sts = IoCallDriver( hookExt->FileSystem, Irp );
> break;
> }
> }
>
> return( sts );
> }
>
>
>

OSR_Community_User · June 15, 2005, 2:30am

Write the proper FS filter instead.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “yamamoto yosuke”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, June 14, 2005 11:08 PM
Subject: [ntfsd] Creating a filter driver

> We are trying to make a WDM filter driver for Win XP that will intercept
> read and write data from and into a disk drive.
>
> What we did first was to try to make a Hock routine for IRP_MJ_READ creating
> a new Irp as suggested somewhere in this list. The following example code
> shows a sample function we are working on: A hock routine that
> sweeps a new IRP(ipr2) in front of the original Irp passed by as
> an argument.
>
> we could not find an example code that gives us enough information
> for implementing what we want to implement.
>
> Our questions are:
>
> 1) Is there a good sample code available out there?
>
> 2) Our code shuts down the OS and makes it show a blue screen
> with error messages:
>
> Technical information
> ***stop: 0xC0000005, 0xF655ACE3, 0XF3D6AB0C, 0x00000000
> Fastfat.sys Address F655ACE3 base at F655A000, Date stamp 3b7de38a
>
> We cannot figure out how to set nextIrpStack. Could someone give us an
> advice? also we are wondering if we need to handle the exit status
> for the Irp passed by for such as pending, cancel, or normal status.
> We very appreciate if someone could point problems out for us.
>
> We are using DO_DIRECT_IO mode for the sample code.
>
> Thanks in advance.
>
> Yosuke
>
>
>
> //----------------------------------------------------------------------
> // DriverObject->MajorFunction[IRP_MJ_READ] = Hock2x2;
> // Hock2x2
> //
> // This routine is the main hook routine for IRP_MJ_READ !
> //
> //----------------------------------------------------------------------
> NTSTATUS
> Hock2x2(
> PDEVICE_OBJECT HookDevice,
> IN PIRP Irp
> )
> {
> PIO_STACK_LOCATION currentIrpStack;
> PIO_STACK_LOCATION nextIrpStack;
> PHOOK_EXTENSION hookExt;
> NTSTATUS sts;
> KEVENT event;
> IO_STATUS_BLOCK iosb;
> PDEVICE_OBJECT topOfStack;
> PIRP irp2;
> PUCHAR addr;
> PUCHAR addr2;
>
> currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
> nextIrpStack = IoGetNextIrpStackLocation(Irp);
> hookExt = HookDevice->DeviceExtension;
> sts = STATUS_SEVERITY_ERROR;
>
> if( hookExt->Hooked ) {
> switch( currentIrpStack->MajorFunction ) {
> case IRP_MJ_READ:
>
> KeInitializeEvent(&event,
> SynchronizationEvent/NotificationEvent??/, FALSE);
> topOfStack = IoGetAttachedDeviceReference(HookDevice);
>
> addr2 = ExAllocatePoolWithTag( NonPagedPool ,
>
> currentIrpStack->Parameters.Read.Length,
> ‘tLcK’ );
> if( addr2==NULL ) {
> break;
> }
>
> irp2 = IoBuildSynchronousFsdRequest( IRP_MJ_READ,
> topOfStack,
> addr2,
>
> currentIrpStack->Parameters.Read.Length,
>
> &currentIrpStack->Parameters.Read.ByteOffset,
> &event,
> &iosb);
>
> if( irp2==NULL ) {
> break;
> }
>
> //currentIrpStack = IoGetCurrentIrpStackLocation(irp2);
> *nextIrpStack = *currentIrpStack;
>
> sts = IoCallDriver( hookExt->FileSystem, irp2 );
> if( sts==STATUS_SUCCESS ) {
> // DO_DIRECT_IO mode only !!!
> addr = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
> NormalPagePriority);
> RtlCopyMemory( addr, addr2,
> currentIrpStack->Parameters.Read.Length );
> }
>
> ExFreePool(addr2); // Free
> addr2 = 0;
> ObDereferenceObject(topOfStack); // Free
> topOfStack = 0;
>
> break;
>
> default:
> *nextIrpStack = *currentIrpStack;
> sts = IoCallDriver( hookExt->FileSystem, Irp );
> break;
> }
> }
>
> return( sts );
> }
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com