Hallo,
First of all: I’m absolutely new to driver-programming and right now i’m
still trying to figure out, how things work (which i must say seems to be
all but impossible … 
I based my filter on the toaster-example and installed it as an
upper-filter. The first thing, I wanted to try is to “block” every
MJ_READ/MJ_WRITE to the disk and satisfy the request myself.
This even seemed to work, but then I compared the data, which came from
sending down the request to the next lower driver with the data from my
request and on some occasions, it didn’t match! Probably I’m doing
something wrong or don’t handle some special cases, but I can’t figure
out, which ones. Here’s my code to request data from disk:
NTSTATUS ReadWriteCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp,
IN PVOID Context) {
Irp->UserIosb->Status= Irp->IoStatus.Status;
KeSetEvent((PKEVENT)Context, IO_NO_INCREMENT, false);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS ReadWrite(PVOID buffer, LARGE_INTEGER* pos, ULONG size,
PDEVICE_EXTENSION deviceExtension, bool write) {
_KEVENT event;
PIRP irp;
_IO_STATUS_BLOCK iosb;
NTSTATUS status;
KeInitializeEvent(&event, NotificationEvent, false);
irp = IoBuildAsynchronousFsdRequest( write ? IRP_MJ_WRITE : IRP_MJ_READ,
deviceExtension->NextLowerDriver, buffer, size, pos, &iosb);
if (irp == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
IoSetCompletionRoutine(irp, ReadWriteCompletion, &event, true, true,
true);
status = IoCallDriver(deviceExtension->NextLowerDriver, irp);
// should I always wait on the event or only with status ==
STATUS_PENDING ?
KeWaitForSingleObject(&event, Executive, KernelMode, false, NULL);
return iosb.Status;
}
In the filter-routine, I simply write the data coming from my read-request
to a memory-buffer and setup a completion-routing, in which i get the
(correct) data with MmGetSystemAddressForMdlSafe and compare it to mine
with RtlCompareMemory. The only thing, I could observe was that the
mismatches I can see in DbgView (only 4, though on boot-up there are about
300) have always the same "ByteOffset"s
Thanks in advance for every answer 
Jan Hammerschmidt