According to the previous posts in the list, to hook CreateFileMapping in a
filter driver we need to hook into AcquireFileForNtCreateSection. Now in
NT2k/NT4, how can we do this? My understanding is this fastio call of
filter driver get bypassed by the system system. In XP, I know we can call
a FsRtl to register the call back. One thing I can think of is going
through the driver stack to search for a FSD driver, and then replace its
AcquireFileForNtCreateSection with entry. Any more help will be
appreciated.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
An alternative is to use the www.sysinternals.com method for hooking NT
system services, then hook NtCreateSection and NtMapViewOfSection to
track all (user-mode initiated) file mappings. (BTW sports fans, is
there a semi/documented way to turn a virtual address into the file
object for the file mapping it represents?)
I suppose modifying the FastIoDispatch table of the filesystem driver
object itself to cause the AcquireFileForNtCreateSection callback to
point to you would work as well. This would only allow you to filter
create section requests, not requests to actually map the data into
memory, however (although you can be assured that map view requests will
only take place after a create section request). And the return value is
VOID, so you have no ability to fail the section create, if that’s what
you intend.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@math.uic.edu
Sent: Monday, January 14, 2002 6:46 PM
To: File Systems Developers
Subject: [ntfsd] Hook CreateFileMapping
According to the previous posts in the list, to hook CreateFileMapping
in a
filter driver we need to hook into AcquireFileForNtCreateSection. Now
in
NT2k/NT4, how can we do this? My understanding is this fastio call of
filter driver get bypassed by the system system. In XP, I know we can
call
a FsRtl to register the call back. One thing I can think of is going
through the driver stack to search for a FSD driver, and then replace
its
AcquireFileForNtCreateSection with entry. Any more help will be
appreciated.
You are currently subscribed to ntfsd as: xxxxx@secretseal.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> An alternative is to use the www.sysinternals.com method for hooking NT
system services, then hook NtCreateSection and NtMapViewOfSection to
track all (user-mode initiated) file mappings. (BTW sports fans, is
there a semi/documented way to turn a virtual address into the file
object for the file mapping it represents?)
Two great tasks:
- getting the control area pointer from the VAD.
- then getting the file object from the control area.
object itself to cause the AcquireFileForNtCreateSection callback to
This call is always called in base FS device object, the filter’s routine is never used.
VOID, so you have no ability to fail the section create, if that’s what
IIRC MmCreateSection sends some query information IRPs to the filesystem.
Maybe this is a direction to move?
Max
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> -----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, January 14, 2002 5:17 PM
To: File Systems Developers
Subject: [ntfsd] RE: Hook CreateFileMapping
> An alternative is to use the www.sysinternals.com method for hooking
NT
> system services, then hook NtCreateSection and NtMapViewOfSection to
> track all (user-mode initiated) file mappings. (BTW sports fans, is
> there a semi/documented way to turn a virtual address into the file
> object for the file mapping it represents?)
Two great tasks:
- getting the control area pointer from the VAD.
- then getting the file object from the control area.
Ouch… but then again my only alternative is to hook both
NtCreateSection and NtMapViewOfSection and maintain a massive private
data structure tracking all mapped views in all processes (I’m only
interested in user-mode initiated mappings).
> object itself to cause the AcquireFileForNtCreateSection callback to
This call is always called in base FS device object, the filter’s
routine is never used.
But if you actually modify the AcquireFileForNtCreateSection member of
the fast-I/O dispatch table of the driver object of the FSD to point to
your routine, then your routine will be called, right? You just have to
be careful to chain down to the original routine.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com