Doubts in Shadow Device implementation

Hi,

while implementing ‘shadow device’ feature in my filter driver, i am
having some doubts. While creating shadow device for each volumes , Do
i need to attach the shadow device above the hook device object which
i have created for a specific volume ? ( If yes, can you send some
comment of following steps for creating shadow device for each
volumes? )

Consider the case , we are hooking C:\ volume

1: Getting the Device object of C:\ volume

pDeviceObject = IoGetRelatedDeviceObject(pFileObject);

2: Create a hook device object to attach with C:\ volume

IoCreateDevice(pDriverObject,
sizeof(AV_DEVICE_EXTENSION),
NULL,
pDeviceObject -> DeviceType,
pDeviceObject -> Characteristics,
FALSE,
&pHookDevice);

3: Create a shadow device with name as “ShadowDevice_C”

IoCreateDevice(pDriverObject,
sizeof(AV_DEVICE_EXTENSION),
strShadowDeviceName,
pDeviceObject -> DeviceType,
pDeviceObject -> Characteristics,
FALSE,
&pShadowDevice);

4: Adjust the StackSize of the shadow device

pShadowDevice -> StackSize = pHookDevice -> StackSize + 1;

5: Attach the hook device to the C:'s device object

IoAttachDeviceToDeviceStack(pHookDevice, pDeviceObject);

6: Attach the shadow device above the hook device

IoAttachDeviceToDeviceStack(pShadowdevice,pHookDevice);

Without creating Shadow Device, Is it possible to develop a filter
driver which blocks IRP_MJ_CREATE request for specific file extension
?

Thanks & Regards
SivaRaja

Hey raja raja

Why do you want to attach shadow device to device stack; isnt it the point
that the shadow device isnt attached to the device stack? How about
IoCreateFileSpecifyDeviceObjectHint anyway? You just want to fail IRP when
its IRP_MJ_CREATE and file name - extension you say - meet some simple
criteria? So in your create dispatch construct (enough of) the filename to
decide whether you want the irp to fail; and if you want the irp to fail
just complete the irp with fail status and dont pass down? Just some
thoughts off the top of the head like :slight_smile:

Cheers
Lyndon

“raja raja” wrote in message news:xxxxx@ntfsd…
> Hi,
>
> while implementing ‘shadow device’ feature in my filter driver, i am
> having some doubts. While creating shadow device for each volumes , Do
> i need to attach the shadow device above the hook device object which
> i have created for a specific volume ? ( If yes, can you send some
> comment of following steps for creating shadow device for each
> volumes? )
>
> Consider the case , we are hooking C:\ volume
> ---------------------------------------------------------------
>
> 1: Getting the Device object of C:\ volume
>
> pDeviceObject = IoGetRelatedDeviceObject(pFileObject);
>
> 2: Create a hook device object to attach with C:\ volume
>
> IoCreateDevice(pDriverObject,
> sizeof(AV_DEVICE_EXTENSION),
> NULL,
> pDeviceObject -> DeviceType,
> pDeviceObject -> Characteristics,
> FALSE,
> &pHookDevice);
>
> 3: Create a shadow device with name as “ShadowDevice_C”
>
> IoCreateDevice(pDriverObject,
> sizeof(AV_DEVICE_EXTENSION),
> strShadowDeviceName,
> pDeviceObject -> DeviceType,
> pDeviceObject -> Characteristics,
> FALSE,
> &pShadowDevice);
>
> 4: Adjust the StackSize of the shadow device
>
> pShadowDevice -> StackSize = pHookDevice -> StackSize + 1;
>
> 5: Attach the hook device to the C:'s device object
>
> IoAttachDeviceToDeviceStack(pHookDevice, pDeviceObject);
>
> 6: Attach the shadow device above the hook device
>
> IoAttachDeviceToDeviceStack(pShadowdevice,pHookDevice);
>
> Without creating Shadow Device, Is it possible to develop a filter
> driver which blocks IRP_MJ_CREATE request for specific file extension
> ?
>
> Thanks & Regards
> SivaRaja
>

You must not attach the shadow device to ANYTHING.
The only thing you need to ensure is that the requests
targeted to your shadow device objects are properly
passed-through to the lowed device object (which is
one stack below your filter’s attached device object.

For doing this, the device object does not need to be
attached to anything, all that is necessary is to ensure that
I/O manager will target requests to it (which is ensured by
file name beginning with your shadow device object’s name).

L.