file read - Question

OSR_Community_User · March 20, 2006, 7:58am

Hi,

I am trying to read a file (by double-clicking a file from Windows
Explorer) and in that process, write the contents of the file into
another file (say a log file). This content may include header
information and other stuff besides the real data.

I am new to NT internals and file system filter drivers. I am learning
as I go. I read that the SystemBuffer is a temporary buffer which would
hold the contents of the file being read and would eventually be put
into the userBuffer. How do I read the contents of the UserBuffer? Is it
in Binary or ASCII format?

Thanks much,

S.Srivathsan

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.

OSR_Community_User · March 20, 2006, 8:10am

Srivathsan_Srinivasagopalan wrote:

Hi,
into the userBuffer. How do I read the contents of the UserBuffer? Is it
in Binary or ASCII format?

In drivers there’s no distinction - it could be Unicode, or Klingon or
something. It’s just bytes.

The buffers hold all sorts of things not just file data - and they’re
rarely the whole file (probably on the return path from IRP_MJ_READ with
a zero offset, if the file is small enough… can’t think of another case).

Tony

OSR_Community_User · March 21, 2006, 3:55am

Hi,
This is with reference to my previous question as to how one can read
data from the UserBuffer.

I am modifying Filespy (in IFS kit) and whenever a file is opened to
read, I want the contents of the file to be logged (written into) the
log file. I am unsure how to go about doing that.

Please let me know if the below mentioned code is in the right
direction.

if (Irp->AssociatedIrp.SystemBuffer) {
if
(irpStack->Parameters.DeviceIoControl.OutputBufferLength) {
RtlCopyMemory(Irp->UserBuffer,
Irp->AssociatedIrp.SystemBuffer,

irpStack->Parameters.DeviceIoControl.OutputBufferLength);
}
ExFreePool (Irp->AssociatedIrp.SystemBuffer);
}

// I must use some other debug level…
SPY_LOG_PRINT(SPYDEBUG_DISPLAY_ATTACHMENT_NAMES,
(“FileSpy!SriTest: contents = %s\n”, Irp->UserBuffer) );

Thanks,
Sri.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Hoyle
Sent: Monday, March 20, 2006 6:40 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] file read - Question

Srivathsan_Srinivasagopalan wrote:

Hi,
into the userBuffer. How do I read the contents of the UserBuffer? Is
it
in Binary or ASCII format?

In drivers there’s no distinction - it could be Unicode, or Klingon or
something. It’s just bytes.

The buffers hold all sorts of things not just file data - and they’re
rarely the whole file (probably on the return path from IRP_MJ_READ with

a zero offset, if the file is small enough… can’t think of another
case).

Tony

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@satyam.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.

OSR_Community_User · March 22, 2006, 11:30pm

Tony,

Thanks.

But, I am still unable to figure out where exactly to read the
UserBuffer and copy its contents to the log file (I am using FileSpy). I
am plugging this piece of code in SpyPassThroughCompletion.

if (Irp->AssociatedIrp.SystemBuffer) {
if
(irpStack->Parameters.DeviceIoControl.OutputBufferLength) {
RtlCopyMemory(Irp->UserBuffer,
Irp->AssociatedIrp.SystemBuffer,

irpStack->Parameters.DeviceIoControl.OutputBufferLength);
}
ExFreePool (Irp->AssociatedIrp.SystemBuffer);
}

And, I am unsure how I should be using the SPY_LOG_PRINT function to
enable it to print the contents of the Irp->UserBuffer to log file.

Also, I thought of populating the contents of a (small) file by
modifying the fspylog file. In the IrpFileDump, if I had access to Irp,
I can get the UserBuffer. But, all I have at that point is pRecordIrp
which doesn’t give me UserBuffer access.

Any suggestions to copy the contents of the file which was read to the
log file would be appreciated.

Thanks,
Sri.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Hoyle
Sent: Monday, March 20, 2006 6:40 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] file read - Question

Srivathsan_Srinivasagopalan wrote:

Hi,
into the userBuffer. How do I read the contents of the UserBuffer? Is
it
in Binary or ASCII format?

In drivers there’s no distinction - it could be Unicode, or Klingon or
something. It’s just bytes.

The buffers hold all sorts of things not just file data - and they’re
rarely the whole file (probably on the return path from IRP_MJ_READ with

a zero offset, if the file is small enough… can’t think of another
case).

Tony

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@satyam.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.

OSR_Community_User · March 23, 2006, 7:46am

You should never copy into Irp->UserBuffer in a completion routine
(which I what you’re doing in your example). That’s just not safe and
suggests you do not yet have a good conceptual understanding of context.

Is this your device control? If it is, perhaps you can tell us what
transfer method you defined. If it is not, you’ll need to figure out
which transfer method is specified. In either case, the transfer method
is going to tell you where the resulting data will be located.

What do you think the code snippet that you provided does?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006 (note new date - MS scheduled plugfest the
same week again.)