Differentiate between file and dir!

Hi,
I wrote a file system filter driver for NTFS and hooked on the read and
write operations (IRP_MJ_READ & IRP_MJ_WRITE). During these operations, I
want to know whether the request is for file or dir. I queried the lower
file system to find out the attribute by sending an IRP. It works fine
initially, however, the system hangs after a while. I couldn’t get the reply
from the lower file system about the IRP query. I used similar code from
filemon which query the filename from lower file system.

  1. Can I block in read and write operations to query the lower file system
    for the attribute?
    What is the possible reason that caused the system hangs?

  2. Is there a simple way to get the file attribute in the read and write
    operations without querying the lower file system?

I tried another approach in IRP_MJ_CREATE. After IRP_MJ_CREATE successfully
completed in dispatch routine, I send the query IRP to get the file
attribute of the File Object. Then I stored the File Object and attribute in
the memory, so that I can look up its attribute based on the File Object in
the read and write operations. However, I notice that some File Objects do
not appear in the IRP_MJ_CREATE call, especially the creation of temporary
file and some dirs open. So I am not able to do the lookup successfully.

  1. I thought the File Object is created only in the IRP_MJ_CREATE routine,
    so all other IRPs (including IRP_MJ_READ and IRP_MJ_WRITE) use these File
    Objects created in the create call. Am I right?

Thank you for any information!

Regards,
Sin Lam
xxxxx@krdl.org.sg


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,

Sounds like a common problem:

  1. Can I block in read and write operations to query the lower file system
    for the attribute? What is the possible reason that caused the system hangs?

If the IRP_PAGING_IO or IRP_SYNCRHROUS_PAGING_IO flags are set in
the Irp.
You can query if these aren’t set. The hang is certain with these,
though
not in every case.

  1. Is there a simple way to get the file attribute in the read and write
    operations without querying the lower file system?

Not that I know of - except saving the flag in Create.

  1. I thought the File Object is created only in the IRP_MJ_CREATE routine,
    so all other IRPs (including IRP_MJ_READ and IRP_MJ_WRITE) use these File
    Objects created in the create call. Am I right?

I don’t know where exactly, but you will see many calls for a file
object
even without the IRP_MJ_CREATE.
What you can do for your problem, is hash the IsDirectory flag, and
have the
filter query ONLY for files that are not in the hash table. Of course,
if the
file is not in the hash table, and the Irp->Flags has (IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO) set, don’t call the FS, otherwise you will
also get a
hang.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.

Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com