hi,
i am a beginner to fsd.
i create a usermode app using CreateFileMapping(),
if call it with a nonnull objectname (the 6th params), then in driver i
can get SectionHandle by InitializeObjectAttributes() and ZwOPenSection()
with objname, but if CreateFileMapping() without a objectname(set 6th
params null),i am wonder how can also get the SectionHandle ?
is there any other ways to imletement it ?
There are several ways to accomplish this. Tell us more so we know the appropriate solution. What process context(s) are used to access the section object and view (mapping) in your driver?
-----Original Message-----
From: zyee [mailto:xxxxx@21cn.com]
Sent: Friday, April 05, 2002 1:22 AM
To: File Systems Developers
Subject: [ntfsd] Help :: How to Get the MappingFile SectionHandle
created in UserMode ??
hi,
i am a beginner to fsd.
i create a usermode app using CreateFileMapping(),
if call it with a nonnull objectname (the 6th params), then in driver i
can get SectionHandle by InitializeObjectAttributes() and ZwOPenSection()
with objname, but if CreateFileMapping() without a objectname(set 6th
params null),i am wonder how can also get the SectionHandle ?
is there any other ways to imletement it ?
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%
i konw that some usermode app such as notepad read/write files via
FileMapping tech,i guess that it maybe a feasible way if i know the
BaseNamedObject from usermode mappingfile, then i can
ZwOpenSection/ZwMapViewOfSection it in filter drive.
for example, if usermode app use CreateFileMapping(…,“1234567890”),
then i know that mapobjectname should be “\BaseNamedObjects\1234567890”,
then by ZwOpenSection/ZwMapViewOfSection, i can get the BaseAddress of
View of mappingfile, get the Content of file,etc…
But when watch the Read/Write operation of Notepad, i can not find out
some BaseNamedObjects associated with notepad, Maybe Notepad
CreateFileMapping() with a null objectname(set the 6th params null)??How
can i read the mappingfile-context in filter??
If I understand, you’re trying to solve a non-existent problem. The stock file systems try very hard to keep the system cache coherent with any memory mappings. The cache manager’s view of the file as well as any memory mapped views of the file translate to the same physical memory pages. You don’t need to access notepad’s section object to get to the memory mapped data. You can map it yourself from your own section object or read from the cache. You will be accessing the same physical pages of memory.
-----Original Message-----
From: zyee [mailto:xxxxx@21cn.com]
Sent: Friday, April 05, 2002 9:51 AM
To: File Systems Developers
Subject: [ntfsd] Re: Help :: How to Get the MappingFile SectionHandle
created in UserMode ??
i konw that some usermode app such as notepad read/write files via
FileMapping tech,i guess that it maybe a feasible way if i know the
BaseNamedObject from usermode mappingfile, then i can
ZwOpenSection/ZwMapViewOfSection it in filter drive.
for example, if usermode app use CreateFileMapping(…,“1234567890”),
then i know that mapobjectname should be “\BaseNamedObjects\1234567890”,
then by ZwOpenSection/ZwMapViewOfSection, i can get the BaseAddress of
View of mappingfile, get the Content of file,etc…
But when watch the Read/Write operation of Notepad, i can not find out
some BaseNamedObjects associated with notepad, Maybe Notepad
CreateFileMapping() with a null objectname(set the 6th params null)??How
can i read the mappingfile-context in filter??
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%
thanx, Rob.Fuller.
from your words “You can map it yourself from your own section object
…”, can i get the pointer to SectionHandle from PFILE_OBJECT via
ObOpenObjectByPointer(),than call directly ZwMapViewOfSection() to get the
BaseAddress of mapFile??
Why not just use ZwCreateSection?
-----Original Message-----
From: zyee [mailto:xxxxx@21cn.com]
Sent: Friday, April 05, 2002 11:02 AM
To: File Systems Developers
Subject: [ntfsd] Re: Help :: How to Get the MappingFile SectionHandle
created in UserMode ??
thanx, Rob.Fuller.
from your words “You can map it yourself from your own section object
…”, can i get the pointer to SectionHandle from PFILE_OBJECT via
ObOpenObjectByPointer(),than call directly ZwMapViewOfSection() to get the
BaseAddress of mapFile??
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%
> some BaseNamedObjects associated with notepad, Maybe Notepad
CreateFileMapping() with a null objectname(set the 6th params null)??
I’m sure of this.
can i read the mappingfile-context in filter??
Why do you need this? Monitor the IRPs, the section object name is irrelevant.
Max
i know that at usermode app, always use
LPVOID lpvFile =MapViewOfFile(hFileMap,FILE_MAP_READ,…) to get content
of mapping-file, can i get the same lpvFile entry in my filter driver when
the hooked file was opened (such as by Notepad)?? is there any other ways
to do it??
> i know that at usermode app, always use
LPVOID lpvFile =MapViewOfFile(hFileMap,FILE_MAP_READ,…) to get content
of mapping-file, can i get the same lpvFile entry in my filter driver when
the hooked file was opened (such as by Notepad)?? is there any other ways
to do it??
Why do you need this? Looks like your problem can be solved by other means, like monitoring IRPs.
Max
thanx, Max.
excuse for my lacking experience on filter. from your words “monitoring
IRPs”, it means that i get the content from Irp->UserBuffer or MdlAddress
?
i had done it, from normal API call, such as ReadFile()/WriteFile(), it
work fine, but to Mappingfile calls, it raise a VA error(0xc0000005).
another way i think to can solve the problem is to hook the service
ZwMapViewOfSection(),but looks it is not the better way.
look for yours advise again.
For paging IO IRPs, you have the physical pages in the MDL.
Can MmGetSystemAddressForMdlSafe and you will have the pointer.
Max
----- Original Message -----
From: “zyee”
To: “File Systems Developers”
Sent: Monday, April 08, 2002 6:01 AM
Subject: [ntfsd] Re: Help :: How to Get the MappingFile SectionHandle created in UserMode ??
> thanx, Max.
> excuse for my lacking experience on filter. from your words “monitoring
> IRPs”, it means that i get the content from Irp->UserBuffer or MdlAddress
> ?
> i had done it, from normal API call, such as ReadFile()/WriteFile(), it
> work fine, but to Mappingfile calls, it raise a VA error(0xc0000005).
> another way i think to can solve the problem is to hook the service
> ZwMapViewOfSection(),but looks it is not the better way.
>
> look for yours advise again.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
i do as you advised in my Io CompletionRoutine:
…
if( Irp->MdlAddress ){
outbuffer = MmGetSystemAddressForMdlSafe(
Irp->MdlAddress,NormalPagePriority );
DbgPrint(“Got a Mdl , the Flag :: %x\n”,
Irp->MdlAddress->MdlFlags);
}
…
ProbeForRead(outbuffer,Irp>IoStatus.Information,sizeof(ULONG));
…
if my filter running, successful to hook Drvie A:,
open a txt file with Notepad, try to read the outbuffer then got a VA
error(0xc0000005),the MdlFlags is 0x43, and the Irp>IoStatus.Information
is the correct length of txt file.
Where is the problem on eath ?!
Help me
Your problem is that the outbuffer points to kernel mode space,
but ProbeForRead probes if the address is in user mode space.
Thus it correctly generates exception STATUS_ACCESS_VIOLATION.
So, don’t probe kernel mode addresses!
Paul
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of zyee
Sent: Tuesday, April 09, 2002 5:10 AM
To: File Systems Developers
Subject: [ntfsd] Re: Help :: How to Get the MappingFile SectionHandle
created in UserMode ??
i do as you advised in my Io CompletionRoutine:
…
if( Irp->MdlAddress ){
outbuffer = MmGetSystemAddressForMdlSafe(
Irp->MdlAddress,NormalPagePriority );
DbgPrint(“Got a Mdl , the Flag :: %x\n”,
Irp->MdlAddress->MdlFlags);
}
…
ProbeForRead(outbuffer,Irp>IoStatus.Information,sizeof(ULONG));
…
if my filter running, successful to hook Drvie A:,
open a txt file with Notepad, try to read the outbuffer then got a VA
error(0xc0000005),the MdlFlags is 0x43, and the Irp>IoStatus.Information
is the correct length of txt file.
Where is the problem on eath ?!
Help me
You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to %%email.unsub%%