Hi,
I am learning filter driver. I went through Rajeev nagars book. Now I am
using filespy filter driver sample. As first step, I am trying to fiter
log entries. I am using following function to filter in SpyCreate()
Dispatch routine.
BOOLEAN
ShouldNotLog(IN PIRP Irp)
{
PIO_STACK_LOCATION pIrpStack;
ANSI_STRING newAnsiName;
UNICODE_STRING UniName;
PDEVICE_EXTENSION deviceExtension;
ULONG lookupFlags;
PUNICODE_STRING volumeName;
pIrpStack = IoGetCurrentIrpStackLocation(Irp);
//Volume Name
deviceExtension = pIrpStack->DeviceObject->DeviceExtension;
if (deviceExtension &&
(deviceExtension->NextDriverDeviceObject->DeviceType ==
FILE_DEVICE_DISK_FILE_SYSTEM)) {
volumeName = &(deviceExtension->DeviceName);
} else {
volumeName = NULL;
}
// Lookup Flag
lookupFlags = 0;
lookupFlags |= NAMELOOKUPFL_CAN_GET_NAME_FROM_FILEOBJ;
if (pIrpStack->Parameters.Create.Options & FILE_OPEN_BY_FILE_ID) {
lookupFlags |= NAMELOOKUPFL_OPEN_BY_ID;
}
UniName.MaximumLength = (unsigned short)gMaxNamesToAllocate;
UniName.Buffer = ExAllocatePool(NonPagedPool,gMaxNamesToAllocate);
UniName.Length = E3GetFullPathName(
pIrpStack->FileObject,
(PCHAR) UniName.Buffer,
UniName.MaximumLength,
volumeName,
lookupFlags);
RtlInitAnsiString(&newAnsiName,NULL);
RtlUnicodeStringToAnsiString(&newAnsiName,&UniName,TRUE);
newAnsiName.Buffer[newAnsiName.Length] = ‘\0’;
DbgPrint(“File Name $$$:- %s”,newAnsiName.Buffer);
//DbgBreakPoint();
if (ApplyFilters(newAnsiName.Buffer)) {
RtlFreeAnsiString(&newAnsiName);
ExFreePool(UniName.Buffer);
return FALSE;
}
else {
RtlFreeAnsiString(&newAnsiName);
ExFreePool(UniName.Buffer);
return TRUE;
}
}
I modified SpyPassThrogh function with additional parameter Flag. If the
above function return TRUE, I will call SpyPassThrogh with Flag = 0
otherwise with 1. In SpyPassThrough, I am using following code.
if (SHOULD_LOG(DeviceObject)&&Flag) {
PRECORD_LIST recordList;
//
// The ControlDevice is opened, so allocate the Record
// and log the Irp information if we have the memory.
//
recordList = E3NewRecord(0);
if (recordList) {
loggingFlags |= LOG_ORIGINATING_IRP;
E3LogIrp( Irp, loggingFlags, recordList );
//
// Since we are logging this operation, we want to
// see its completion so register our completion
// routine.
//
IoSetCompletionRoutine(
Irp,
E3PassThroughCompletion,
(PVOID)recordList,
TRUE,
TRUE,
TRUE);
}
}
With above modification, I ran the filespy.exe After attached to C:, my
system is getting restarted. No blue screen comming, only correpted
display is comming before.
What is wrong with this code. Please anyone explain me.
Thanx in Advance.
Regards,
T.Umapathy