Filtering lanMan calls - flags and return status

Howdy,

I tried filtering LanMan calls, but I get incorrect values for
it.
Here are two problems :

  • IRP_MJ_SET_INFORMATION with InfoClass FileDisposition
    Informtion. I try to ask the driver for FILE_STANDARD_INFORMATION before
    the call is executed via IoCallDriver, but the Directory flag is not
    returned correctly.
  • IRP_MJ_CREATE – I cannot check the IoStatus.Information field
    to see what “really” happened, i.e. whether the file was created,
    replaced, opened or something.
    If someone knows if this is a known issue, please, tell me, and
    also if You have found/know a workaround. Otherwise, here’s the code I
    use for querying FILE_STANDARD_INFORMATION (I have no idea what could be
    wrong with the IRP_MJ_CREATE filtering).
    P.S. The query is done in the Dispatch routine, and CREATE
    result query in the CompletionRoutine.

NTSTATUS DeleteQueryFileNameComplete(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context)
{
*Irp->UserIosb = Irp->IoStatus;
KeSetEvent(Irp->UserEvent, 0, FALSE);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}

BOOLEAN DeleteGetFullPath( IN PFILE_OBJECT fileObject,
IN PDevice_Object DeviceObject,
IN PWorkEntry Data)
{
PIRP irp;
KEVENT Event;
IO_STATUS_BLOCK IoStatusBlock;
PIO_STACK_LOCATION nextIrpStack;
FileDataInfo FileInfo; - FILE_STANDARD_INFORMATION

irp = IoAllocateIrp(hookExt->FileSystem->StackSize, FALSE);
if(irp)
{
KeInitializeEvent(&Event, SynchronizationEvent, FALSE);
irp->AssociatedIrp.SystemBuffer = &FileInfo;
irp->UserEvent = &Event;
irp->UserIosb = &IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject = fileObject;
irp->RequestorMode = KernelMode;
irp->Flags = IRP_SYNCHRONOUS_API;
nextIrpStack = IoGetNextIrpStackLocation(irp);
nextIrpStack->MajorFunction = IRP_MJ_QUERY_INFORMATION;
nextIrpStack->DeviceObject = DeviceObject;
nextIrpStack->FileObject = fileObject;
nextIrpStack->Parameters.QueryFile.Length = sizeof(FileInfo);
nextIrpStack->Parameters.QueryFile.FileInformationClass =
FileStandardInformation;
IoSetCompletionRoutine(irp,
DeleteQueryFileNameComplete,
0,
TRUE,
TRUE,
TRUE);
if(NT_SUCCESS(IoCallDriver(hookExt->FileSystem, irp)))
{
KeWaitForSingleObject(&Event, Executive, KernelMode, TRUE,
0);
return FileName.Directory;
}
}
return FALSE;
}


Regards, Dejan M. CEO Alfa Co. http://www.alfaunits.co.yu and
www.register.co.yu
E-mail : xxxxx@alfaunits.co.yu ICQ# : 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa Interceptor - #1 file protection and hiding system for Win32
developers.