Hello all !
I’m very glad to hear all again. As always, i’ve some questions
about of IRP_MJ_CLOSE for the memory mapped file. Our driver
itercepts any file changes in the assigned folders. Test application
does an memory mapping for the own file, writes for it by portion.
Section handle was keeps by application until the process ends.
User file handle was closed before of MapViewOfFile was invoked.
During of the files operation tracking i finds out some interesting
thing: at the some time in the SectionObjectPointers->DataSectionObject
structure, FileObject1 which placed in it, was changed to the another
FileObject2 with a same context and SectionObjectPointers (as in the
FileObject1). IRP_MJ_CREATE for FileObject2 does not becoming for me.
Yep, i’m know, that may be StreamFileObject, but FO_STREM_FILE bit
(0x100) does not setuped in the FileObject2->Flags field.
Question: where from goes an FileObject2 and which of NT kernel part
(LazyWriter, DirtyPagesWriter, or yet some unmentioned OS part) will
working with it ?
Beforehand grateful for all smart guys
OlegN
Which organ do birds have 2 of?
postmaster.co.uk
http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=9