diskperf.sys IRP_MJ_FLUSH_BUFFER question !

NTFSD
1

In diskperf.sys , I find IRP_MJ_FLUSH_BUFFER hava fileobject info

so , I want to get this file’s cluster info by fileobject in diskperf.sys

my code:

NTSTATUS func_Status = STATUS_SUCCESS ;

PIRP pirp_MyIRP = NULL ;
PDEVICE_OBJECT pdevobj_DeviceObject = NULL ;
KEVENT kevent_Event ;
IO_STATUS_BLOCK struct_ioStatus ;
PSTRUCT_FILE_BCB pstruct_FileBcb = NULL ;

STARTING_VCN_INPUT_BUFFER struct_StartVCN ;
PRETRIEVAL_POINTERS_BUFFER pstruct_RetrieVAL = NULL ;

ULONG ulong_IRPBufferSize = 0 ;

KeInitializeEvent(&kevent_Event,
NotificationEvent,
FALSE) ;

pstruct_FileBcb = (PSTRUCT_FILE_BCB)pfileobj_param_File->SectionObjectPointer->SharedCacheMap ;

ulong_IRPBufferSize = (ULONG)(sizeof(RETRIEVAL_POINTERS_BUFFER)+(pstruct_FileBcb->FileSize.QuadPart/g_ulong_BytePerCluster)*sizeof(pstruct_RetrieVAL->Extents)) ;

pdevobj_DeviceObject = pfileobj_param_File->DeviceObject ;

pstruct_RetrieVAL = (PRETRIEVAL_POINTERS_BUFFER)ExAllocatePoolWithTag(NonPagedPool,
ulong_IRPBufferSize,
DISKPERF_POOLTAG) ;
RtlZeroMemory(pstruct_RetrieVAL, ulong_IRPBufferSize) ;

#define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS)

pirp_MyIRP = IoBuildDeviceIoControlRequest(FSCTL_GET_RETRIEVAL_POINTERS,
pdevobj_DeviceObject,
&struct_StartVCN,
sizeof(struct_StartVCN),
pstruct_RetrieVAL,
ulong_IRPBufferSize,
FALSE,
&kevent_Event,
&struct_ioStatus) ;

but is always faild . file’s start cluster is 0 ,

2

> In diskperf.sys , I find IRP_MJ_FLUSH_BUFFER hava fileobject info

so , I want to get this file’s cluster info by fileobject in diskperf.sys

You are doing weird things!

pstruct_FileBcb =
(PSTRUCT_FILE_BCB)pfileobj_param_File->SectionObjectPointer->SharedCacheMap
;

I suspect that you found FileObject initialized by a FSD for a removable
drive’s volume or a regular data stream FileObject which has not been set to
NULL by FSD when it reused Irp to initiate the disk flushing as a response
to some operation, e.g. see FatHijackIrpAndFlushDevice.

If the found file object had been initialized either by Raw FSD or by PDO’s
driver ( look at file object’s or device’s VPB! ) you would have received a
BSOD.

You cast SharedCacheMap to PSTRUCT_FILE_BCB( where did you get it?), it is
absolutely wrong!
Why do you try to use ReactOS structures and algorithms for Windows kernel?!
SharedCacheMap is an internal structure.

pirp_MyIRP = IoBuildDeviceIoControlRequest(FSCTL_GET_RETRIEVAL_POINTERS,
pdevobj_DeviceObject,
&struct_StartVCN,
sizeof(struct_StartVCN),
pstruct_RetrieVAL,
ulong_IRPBufferSize,
FALSE,
&kevent_Event,
&struct_ioStatus) ;

Even if you somehow managed to find a file object opened by a FSD mounted to
a volume you sent the request not to the FSD but to the volume.


Slava Imameyev, xxxxx@hotmail.com

<pliceman_110> wrote in message news:xxxxx@ntfsd…
> In diskperf.sys , I find IRP_MJ_FLUSH_BUFFER hava fileobject info
>
> so , I want to get this file’s cluster info by fileobject in diskperf.sys
>
> my code:
>
> NTSTATUS func_Status = STATUS_SUCCESS ;
>
> PIRP pirp_MyIRP = NULL ;
> PDEVICE_OBJECT pdevobj_DeviceObject = NULL ;
> KEVENT kevent_Event ;
> IO_STATUS_BLOCK struct_ioStatus ;
> PSTRUCT_FILE_BCB pstruct_FileBcb = NULL ;
>
> STARTING_VCN_INPUT_BUFFER struct_StartVCN ;
> PRETRIEVAL_POINTERS_BUFFER pstruct_RetrieVAL = NULL ;
>
> ULONG ulong_IRPBufferSize = 0 ;
>
> KeInitializeEvent(&kevent_Event,
> NotificationEvent,
> FALSE) ;
>
> pstruct_FileBcb =
> (PSTRUCT_FILE_BCB)pfileobj_param_File->SectionObjectPointer->SharedCacheMap
> ;
>
> ulong_IRPBufferSize =
> (ULONG)(sizeof(RETRIEVAL_POINTERS_BUFFER)+(pstruct_FileBcb->FileSize.QuadPart/g_ulong_BytePerCluster)*sizeof(pstruct_RetrieVAL->Extents))
> ;
>
> pdevobj_DeviceObject = pfileobj_param_File->DeviceObject ;
>
> pstruct_RetrieVAL =
> (PRETRIEVAL_POINTERS_BUFFER)ExAllocatePoolWithTag(NonPagedPool,
> ulong_IRPBufferSize,
> DISKPERF_POOLTAG) ;
> RtlZeroMemory(pstruct_RetrieVAL, ulong_IRPBufferSize) ;
>
> #define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
> 28, METHOD_NEITHER, FILE_ANY_ACCESS)
>
> pirp_MyIRP = IoBuildDeviceIoControlRequest(FSCTL_GET_RETRIEVAL_POINTERS,
> pdevobj_DeviceObject,
> &struct_StartVCN,
> sizeof(struct_StartVCN),
> pstruct_RetrieVAL,
> ulong_IRPBufferSize,
> FALSE,
> &kevent_Event,
> &struct_ioStatus) ;
>
>
> but is always faild . file’s start cluster is 0 ,
>
>
></pliceman_110>