First, thank you all for your attention, please help me.
I developed a filter driver based on sfilter, the main purpose of the driver is to deny access to some special files.So ,I changed the Sfcreate.
In my SfCreate, I just returned error message before the IRP completion if I found the file should not be accessed by the process.
NTSTATUS status;
PNAME_CONTROL fileName = NULL;
PSFILTER_DEVICE_EXTENSION devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension);
PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );
BOOLEAN cacheName;
PAGED_CODE();
//
// If this is for our control device object, don’t allow it to be opened.
//
if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) {
//
// Sfilter doesn’t allow for any communication through its control
// device object, therefore it fails all requests to open a handle
// to its control device object.
//
// See the FileSpy sample for an example of how to allow creates to
// the filter’s control device object and manage communication via
// that handle.
//
Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
Irp->IoStatus.Information = 0;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_INVALID_DEVICE_REQUEST;
}
ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
//
// If debugging is enabled, do the processing required to see the packet
// upon its completion. Otherwise, let the request go with no further
// processing.
//
if (!FlagOn( SfDebug, SFDEBUG_DO_CREATE_COMPLETION |
SFDEBUG_GET_CREATE_NAMES|
SFDEBUG_DISPLAY_CREATE_NAMES )) {
//
// We don’t want to get filenames, display filenames, or
// call our completion routine. Don’t put us on the stack
// and call the next driver.
//
IoSkipCurrentIrpStackLocation( Irp );
return IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->NLExtHeader.AttachedToDeviceObject,
Irp );
}
if (FlagOn( SfDebug, SFDEBUG_GET_CREATE_NAMES |
SFDEBUG_DISPLAY_CREATE_NAMES ) &&
!FlagOn(devExt->Flags,SFDEVFL_DISABLE_VOLUME)) {
//
// Debugging specifies that we need to get the filename
//
NAME_LOOKUP_FLAGS LookupFlags = 0x00000000;
//
// If DosName has been set, indicate via flags that we
// want to use it when getting the full file name.
//
if (devExt->NLExtHeader.DosName.Length != 0) {
SetFlag( LookupFlags, NLFL_USE_DOS_DEVICE_NAME );
}
//
// Indicate we are in pre-create
//
SetFlag( LookupFlags, NLFL_IN_CREATE );
if (FlagOn( irpSp->Parameters.Create.Options, FILE_OPEN_BY_FILE_ID )) {
//
// The file is being opened by ID, not file name.
//
SetFlag( LookupFlags, NLFL_OPEN_BY_ID );
}
if (FlagOn( irpSp->Flags, SL_OPEN_TARGET_DIRECTORY )) {
//
// The file’s parent directory should be opened
//
SetFlag( LookupFlags, NLFL_OPEN_TARGET_DIR );
}
//
// Retrieve the file name. Note that in SFilter we don’t do any name
// caching.
//
status = NLAllocateNameControl( &fileName, &gSfNameBufferLookasideList );
if (NT_SUCCESS( status )) {
//
// We are okay not checking the return value here because
// the GetFullPathName function will set the Unicode String
// length to 0. So either way, in an error it will print an empty string
//
status = NLGetFullPathName( irpSp->FileObject,
fileName,
&devExt->NLExtHeader,
LookupFlags,
&gSfNameBufferLookasideList,
&cacheName );
}
}
/******************************************************************************/
/****************************************************************************
at this point , i check the fileName , and if it is the file that i want to protect
I complete the irp and return error
Irp->IoStatus.Status = INVALID_REQUREST
…
****************************************************************************/
if (FlagOn( SfDebug, SFDEBUG_DISPLAY_CREATE_NAMES |
SFDEBUG_DO_CREATE_COMPLETION ) &&
!FlagOn(devExt->Flags,SFDEVFL_DISABLE_VOLUME)) {
//
// Debugging flags indicate we must do completion.
// Note that to display file names we must do completion
// because we don’t know IoStatus.Status and IoStatus.Information
// until post-create.
//
KEVENT waitEvent;
//
// Initialize an event to wait for the completion routine to occur
//
KeInitializeEvent( &waitEvent, NotificationEvent, FALSE );
//
// Copy the stack and set our Completion routine
//
IoCopyCurrentIrpStackLocationToNext( Irp );
IoSetCompletionRoutine(
Irp,
SfCreateCompletion,
&waitEvent,
TRUE,
TRUE,
TRUE );
//
// Call the next driver in the stack.
//
status = IoCallDriver( devExt->NLExtHeader.AttachedToDeviceObject, Irp );
//
// Wait for the completion routine to be called
//
if (STATUS_PENDING == status) {
NTSTATUS localStatus = KeWaitForSingleObject( &waitEvent,
Executive,
KernelMode,
FALSE,
NULL );
ASSERT(STATUS_SUCCESS == localStatus);
}
//
// Verify the IoCompleteRequest was called
//
ASSERT(KeReadStateEvent(&waitEvent) ||
!NT_SUCCESS(Irp->IoStatus.Status));
//
// If debugging indicates we should display file names, do it.
//
if (irpSp->Parameters.Create.Options & FILE_OPEN_BY_FILE_ID) {
SF_LOG_PRINT( SFDEBUG_DISPLAY_CREATE_NAMES,
(“SFilter!SfCreate: OPENED fo=%p %08x:%08x %wZ (FID)\n”,
irpSp->FileObject,
Irp->IoStatus.Status,
Irp->IoStatus.Information,
&fileName->Name) );
} else {
SF_LOG_PRINT( SFDEBUG_DISPLAY_CREATE_NAMES,
(“SFilter!SfCreate: OPENED fo=%p st=%08x:%08x %wZ\n”,
irpSp->FileObject,
Irp->IoStatus.Status,
Irp->IoStatus.Information,
&fileName->Name) );
}
//
// Release the name control structure if we have
//
if (fileName != NULL) {
NLFreeNameControl( fileName, &gSfNameBufferLookasideList );
}
//
// Save the status and continue processing the IRP
//
status = Irp->IoStatus.Status;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return status;
} else {
//
// Free the name control if we have one
//
if (fileName != NULL) {
NLFreeNameControl( fileName, &gSfNameBufferLookasideList );
}
//
// Debugging flags indicate we did not want to display the file name
// or call completion routine.
// (ie SFDEBUG_GET_CREATE_NAMES && !SFDEBUG_DO_CREATE_COMPLETION)
//
IoSkipCurrentIrpStackLocation( Irp );
return IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->NLExtHeader.AttachedToDeviceObject,
Irp );
}
}
all my driver worked well on newly installed windows xp sp3 system, but when I installed Norton Antivirus Entriprise Edition V10.0.2 , I’v get a bsod with error code c0000005.
I debuged it in windbg, checked the dump file, it told me that the bsod occured in SfFastIoRead
nextDeviceObject = ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)- >NLExtHeader.AttachedToDeviceObject;
ASSERT(nextDeviceObject);
fastIoDispatch = nextDeviceObject->DriverObject->FastIoDispatch;
if (VALID_FAST_IO_DISPATCH_HANDLER( fastIoDispatch, FastIoRead )) {
return (fastIoDispatch->FastIoRead)(
FileObject,
FileOffset,
Length,
Wait,
LockKey,
Buffer,
IoStatus,
nextDeviceObject );
/********************************************************************************
------------------->windbg told me that the error occured here
*******************************************************************************/
}
}
return FALSE;
Would please tell me what should I do to fix this problem ? Thanks!!!