Doubts in Shadow Device implementation

Hi,

while implementing ‘shadow device’ feature in my filter driver, i am
having some doubts. While creating shadow device for each volumes , Do
i need to attach the shadow device above the hook device object which
i have created for a specific volume ? ( If yes, can you send some
comment of following steps for creating shadow device for each
volumes? )

Consider the case , we are hooking C:\ volume

1: Getting the Device object of C:\ volume

pDeviceObject = IoGetRelatedDeviceObject(pFileObject);

2: Create a hook device object to attach with C:\ volume

IoCreateDevice(pDriverObject,
sizeof(AV_DEVICE_EXTENSION),
NULL,
pDeviceObject -> DeviceType,
pDeviceObject -> Characteristics,
FALSE,
&pHookDevice);

3: Create a shadow device with name as “ShadowDevice_C”

IoCreateDevice(pDriverObject,
sizeof(AV_DEVICE_EXTENSION),
strShadowDeviceName,
pDeviceObject -> DeviceType,
pDeviceObject -> Characteristics,
FALSE,
&pShadowDevice);

4: Adjust the StackSize of the shadow device

pShadowDevice -> StackSize = pHookDevice -> StackSize + 1;

5: Attach the hook device to the C:'s device object

IoAttachDeviceToDeviceStack(pHookDevice, pDeviceObject);

6: Attach the shadow device above the hook device

IoAttachDeviceToDeviceStack(pShadowdevice,pHookDevice);

Without creating Shadow Device, Is it possible to develop a filter
driver which blocks IRP_MJ_CREATE request for specific file extension
?

Thanks & Regards
SivaRaja

CROSS POST ALERT

“raja raja” wrote in message news:xxxxx@windbg…
> Hi,
>
> while implementing ‘shadow device’ feature in my filter driver, i am
> having some doubts. While creating shadow device for each volumes , Do
> i need to attach the shadow device above the hook device object which
> i have created for a specific volume ? ( If yes, can you send some
> comment of following steps for creating shadow device for each
> volumes? )
>
>
> Consider the case , we are hooking C:\ volume
> ---------------------------------------------------------------
>
> 1: Getting the Device object of C:\ volume
>
> pDeviceObject = IoGetRelatedDeviceObject(pFileObject);
>
>
> 2: Create a hook device object to attach with C:\ volume
>
> IoCreateDevice(pDriverObject,
> sizeof(AV_DEVICE_EXTENSION),
> NULL,
> pDeviceObject -> DeviceType,
> pDeviceObject -> Characteristics,
> FALSE,
> &pHookDevice);
>
>
> 3: Create a shadow device with name as “ShadowDevice_C”
>
> IoCreateDevice(pDriverObject,
> sizeof(AV_DEVICE_EXTENSION),
> strShadowDeviceName,
> pDeviceObject -> DeviceType,
> pDeviceObject -> Characteristics,
> FALSE,
> &pShadowDevice);
>
> 4: Adjust the StackSize of the shadow device
>
> pShadowDevice -> StackSize = pHookDevice -> StackSize + 1;
>
>
> 5: Attach the hook device to the C:'s device object
>
> IoAttachDeviceToDeviceStack(pHookDevice, pDeviceObject);
>
>
> 6: Attach the shadow device above the hook device
>
> IoAttachDeviceToDeviceStack(pShadowdevice,pHookDevice);
>
>
> Without creating Shadow Device, Is it possible to develop a filter
> driver which blocks IRP_MJ_CREATE request for specific file extension
> ?
>
>
> Thanks & Regards
> SivaRaja
>

First of all, you should have posted this in NTFSD.

— raja raja wrote:
> while implementing ‘shadow device’ feature in my
> filter driver, i am
> having some doubts. While creating shadow device for
> each volumes , Do
> i need to attach the shadow device above the hook
> device object which
> i have created for a specific volume ? ( If yes,
> can you send some
> comment of following steps for creating shadow
> device for each
> volumes? )

The shadow device does not attach itself to any device
(by using IoAttachDeviceToDeviceStack). The shadow
device simply takes the requests it receives and
forwards them to a specific device in the device
stack. This device could be the one your normal FS
filter attached to. Shadow devices are mainly used to
avoid re-entrancy.

Try re-reading the IFS FAQ and OSR Online articles on
shadow devices. Also take a look over the NTFSD
archives and you’ll find all the information you need
to understand how shadow devices are created and used.

> Without creating Shadow Device, Is it possible to
> develop a filter
> driver which blocks IRP_MJ_CREATE request for
> specific file extension
> ?

Yes, it is possible without creating shadow device.

Best regards,
Razvan

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com