Hello
I need your help/advise for the following case:
I need FileSpy to hook to the floppy device \Device\Floppy{N} directly after
it is newly mounted.
This works in XP because Filespy is already attaching to \Filesystem\FastFat
(thus receive the IRP_MJ_FILE_SYSTEM_CONTROL->IRP_MN_MOUNT_VOLUME)?
Because of IoRegisterFsRegistration() behaviour:
“In Microsoft Windows XP and later, when a file system filter driver calls
IoRegisterFsRegistrationChange, its notification routine is called
immediately for any file systems that have already called
IoRegisterFileSystem.”
To fix this (and have FileSpy automatically attach to floppy) for Win2k and
below, can I do this? :
(I add this code to the DriverEntry if the OS is XP and below)
RtlInitUnicodeString(&nameString, L"\Filesystem\FastFat");
status = IoGetDeviceObjectPointer(
&nameString, //ObjectName
FILE_READ_ATTRIBUTES, //DesiredAccess
&fileObject, //FileObject
&theDeviceObject); //DeviceObject
if (NT_SUCCESS(status))
{
SpyFsNotification(theDeviceObject, TRUE); // (A)
ObDereferenceObject(fileObject); // (B)
}
Is that okay?
I am puzzled about the object’s reference count. The doc reads:
“It is important to note that decrementing the reference count on the file
object returned by IoGetDeviceObjectPointer causes the reference count on
the device object to be decremented as well.”
The SpyFsNotification() will call IoAttachDeviceToDeviceStack() but will
that call increment the reference of theDeviceObject?
Then (B) will decrement both fileObject and one less reference for
theDeviceObject, which leaves one reference that was added by
IoAttachDeviceToDeviceStack() call?
Then later, the detach call, IoDetachDevice decrements the reference count
of the TargetDevice object.
The OS will later call SpyFsNotification(…, FALSE) when every FS is
getting deactivated.
Is my reasoning correct, please advise?
–
Elias