I’m trying to veto the bypassed operation. To do this, in PreCallback in case of receiving IRP_MJ_FILE_SYSTEM_CONTROL and Data->Iopb->Parameters.File System Control.Common.FsControlCode == FSCTL_MANAGE_BYPASS_IOS calling this function
Then I finish PreCallback with the status FLT_PREOP_COMPLETE.
The problem is that in USER_SPACE, in this case, garbage arrives in the outputbuffer. And I don’t understand why.
Can someone suggest?
I act according to the instructions: https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/bypassio-operations
Example code
if (Data->Iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_MANAGE_BYPASS_IO) {
UNICODE_STRING reason;
PFS_BPIO_INPUT in;
in = Data->Iopb->Parameters.FileSystemControl.Buffered.SystemBuffer;
if (in) {
if (in->Operation == FS_BPIO_OP_ENABLE || in->Operation == FS_BPIO_OP_QUERY) {
RtlInitUnicodeString(&reason, L"does not support bypassio");
status = FltVetoBypassIo(Data, FltObjects, STATUS_ACCESS_DENIED, &reason);
return FLT_PREOP_COMPLETE;
}
}
}
...