FileSpy, Win2k, IoRegisterFsRegistrationChange() and reference logic

Hello

I need your help/advise for the following case:

I need FileSpy to hook to the floppy device \Device\Floppy{N} directly after
it is newly mounted.

This works in XP because Filespy is already attaching to \Filesystem\FastFat
(thus receive the IRP_MJ_FILE_SYSTEM_CONTROL->IRP_MN_MOUNT_VOLUME)?
Because of IoRegisterFsRegistration() behaviour:

“In Microsoft Windows XP and later, when a file system filter driver calls
IoRegisterFsRegistrationChange, its notification routine is called
immediately for any file systems that have already called
IoRegisterFileSystem.”

To fix this (and have FileSpy automatically attach to floppy) for Win2k and
below, can I do this? :

(I add this code to the DriverEntry if the OS is XP and below)

RtlInitUnicodeString(&nameString, L"\Filesystem\FastFat");
status = IoGetDeviceObjectPointer(
&nameString, //ObjectName
FILE_READ_ATTRIBUTES, //DesiredAccess
&fileObject, //FileObject
&theDeviceObject); //DeviceObject

if (NT_SUCCESS(status))
{
SpyFsNotification(theDeviceObject, TRUE); // (A)
ObDereferenceObject(fileObject); // (B)
}

Is that okay?

I am puzzled about the object’s reference count. The doc reads:
“It is important to note that decrementing the reference count on the file
object returned by IoGetDeviceObjectPointer causes the reference count on
the device object to be decremented as well.”

The SpyFsNotification() will call IoAttachDeviceToDeviceStack() but will
that call increment the reference of theDeviceObject?
Then (B) will decrement both fileObject and one less reference for
theDeviceObject, which leaves one reference that was added by
IoAttachDeviceToDeviceStack() call?

Then later, the detach call, IoDetachDevice decrements the reference count
of the TargetDevice object.

The OS will later call SpyFsNotification(…, FALSE) when every FS is
getting deactivated.

Is my reasoning correct, please advise?


Elias

Hi,

first of all: I would be careful if you make assumptions about the names of
devices that will register with IoRegisterFS. The names may vary from NT to
XP *or* there may be recognizers that do not appear in \Filesystem.

Regarding your question about attaching I would implement like this:

RtlInitUnicodeString(&nameString, L"\Filesystem\FastFat");
status = IoGetDeviceObjectPointer(
&nameString, //ObjectName
FILE_READ_ATTRIBUTES, //DesiredAccess
&fileObject, //FileObject
&theDeviceObject); //DeviceObject

if (NT_SUCCESS(status))
{
PDEVICE_OBJECT pdo = IoGetBaseFileSystemDeviceObject(fileObject);
CreateYourOwnPrefixesNotification(pdo, TRUE); // (A)
ObDereferenceObject(fileObject); // (B)
}

And I wouldn’t do this in DriverEntry, but in a worker thread or initiated
by user-mode part of your driver.

“lallous” schrieb im Newsbeitrag news:xxxxx@ntfsd…
> Hello
>
> I need your help/advise for the following case:
>
> I need FileSpy to hook to the floppy device \Device\Floppy{N} directly
> after it is newly mounted.
>
> This works in XP because Filespy is already attaching to
> \Filesystem\FastFat (thus receive the
> IRP_MJ_FILE_SYSTEM_CONTROL->IRP_MN_MOUNT_VOLUME)?
> Because of IoRegisterFsRegistration() behaviour:
>
> “In Microsoft Windows XP and later, when a file system filter driver calls
> IoRegisterFsRegistrationChange, its notification routine is called
> immediately for any file systems that have already called
> IoRegisterFileSystem.”
>
> To fix this (and have FileSpy automatically attach to floppy) for Win2k
> and below, can I do this? :
>
> (I add this code to the DriverEntry if the OS is XP and below)
>
> RtlInitUnicodeString(&nameString, L"\Filesystem\FastFat");
> status = IoGetDeviceObjectPointer(
> &nameString, //ObjectName
> FILE_READ_ATTRIBUTES, //DesiredAccess
> &fileObject, //FileObject
> &theDeviceObject); //DeviceObject
>
> if (NT_SUCCESS(status))
> {
> SpyFsNotification(theDeviceObject, TRUE); // (A)
> ObDereferenceObject(fileObject); // (B)
> }
>
> Is that okay?
>
> I am puzzled about the object’s reference count. The doc reads:
> “It is important to note that decrementing the reference count on the file
> object returned by IoGetDeviceObjectPointer causes the reference count on
> the device object to be decremented as well.”
>
> The SpyFsNotification() will call IoAttachDeviceToDeviceStack() but will
> that call increment the reference of theDeviceObject?
> Then (B) will decrement both fileObject and one less reference for
> theDeviceObject, which leaves one reference that was added by
> IoAttachDeviceToDeviceStack() call?
>
> Then later, the detach call, IoDetachDevice decrements the reference count
> of the TargetDevice object.
>
> The OS will later call SpyFsNotification(…, FALSE) when every FS is
> getting deactivated.
>
> Is my reasoning correct, please advise?
>
> –
> Elias
>
>

Hello

You write- "The SpyFsNotification() will call IoAttachDeviceToDeviceStack()
",
but \Filesystem\FastFat has driver object type( DRIVER_OBJECT ) and does not
support semantic of device object type ( DEVICE_OBJECT ) therefore trying to
attach to DRIVER_OBJECT using IoAttachDeviceToDeviceStack() will result in
unpredictable behavior of the system.
Did you check this code before sending?
You must use \Device\FastFat device object if it exists.
IoAttachDeviceToDeviceStack() does not reference and IoDetachDevice() does
not dereference device object to which your device object attached, and does
not reference you device object.
You must dereference file object( not device object ) obtained from
IoGetDeviceObjectPointer. If you heed device object- reference it before
dereferencing file object.

“lallous” wrote in message news:xxxxx@ntfsd…
> Hello
>
> I need your help/advise for the following case:
>
> I need FileSpy to hook to the floppy device \Device\Floppy{N} directly
> after it is newly mounted.
>
> This works in XP because Filespy is already attaching to
> \Filesystem\FastFat (thus receive the
> IRP_MJ_FILE_SYSTEM_CONTROL->IRP_MN_MOUNT_VOLUME)?
> Because of IoRegisterFsRegistration() behaviour:
>
> “In Microsoft Windows XP and later, when a file system filter driver calls
> IoRegisterFsRegistrationChange, its notification routine is called
> immediately for any file systems that have already called
> IoRegisterFileSystem.”
>
> To fix this (and have FileSpy automatically attach to floppy) for Win2k
> and below, can I do this? :
>
> (I add this code to the DriverEntry if the OS is XP and below)
>
> RtlInitUnicodeString(&nameString, L"\Filesystem\FastFat");
> status = IoGetDeviceObjectPointer(
> &nameString, //ObjectName
> FILE_READ_ATTRIBUTES, //DesiredAccess
> &fileObject, //FileObject
> &theDeviceObject); //DeviceObject
>
> if (NT_SUCCESS(status))
> {
> SpyFsNotification(theDeviceObject, TRUE); // (A)
> ObDereferenceObject(fileObject); // (B)
> }
>
> Is that okay?
>
> I am puzzled about the object’s reference count. The doc reads:
> “It is important to note that decrementing the reference count on the file
> object returned by IoGetDeviceObjectPointer causes the reference count on
> the device object to be decremented as well.”
>
> The SpyFsNotification() will call IoAttachDeviceToDeviceStack() but will
> that call increment the reference of theDeviceObject?
> Then (B) will decrement both fileObject and one less reference for
> theDeviceObject, which leaves one reference that was added by
> IoAttachDeviceToDeviceStack() call?
>
> Then later, the detach call, IoDetachDevice decrements the reference count
> of the TargetDevice object.
>
> The OS will later call SpyFsNotification(…, FALSE) when every FS is
> getting deactivated.
>
> Is my reasoning correct, please advise?
>
> –
> Elias
>
>

> This works in XP because Filespy is already attaching to

\Filesystem\FastFat
(thus receive the IRP_MJ_FILE_SYSTEM_CONTROL->IRP_MN_MOUNT_VOLUME)?
Because of IoRegisterFsRegistration() behaviour:

Basically, IoRegisterFsRegistration may be used also on Win2000.

The only difference between XP+ and 2000- is that on older Windows,
this routine does not affect already registered file systems.
If you load the FileSpy driver at boot time, before file systems are
loaded, you will achieve the same behavior like on XP.

L.