Hi,
Still learning here and was hoping I could get a little insight on
kernel dll’s. Just finished reading the NT Insider article on this,
but I’m left with several questions.
http://www.osronline.com/article.cfm?id=171
First, how does the IO manager react if the kernel dll calls a function
like ZwCreateFile / ReadFile? Calling ZwCreateFile in
a FSFD will cause re-entry, but what about if the ZwCreateFile is called
from a kernel dll?
Second, am I completely wrong, or if the dll in the above example never
calls IoCreateDevice the Create generated by the
Zw… calls should never re-enter the FSFD’s stack? I’m kinda thinking
the IO Manager wouldn’t associate the created Irp
with the FS driver stack. (however, after the Zw… routines complete,
the info obtained would be sent back to the caller of the
dll function, for example a CRC)
I understand how Irp’s are passed from driver to driver down the stack,
but what happens when a dll is inserted and the dll
creates an Irp of it’s own; could someone explain this a little further
please (having trouble finding documentation on this).
Thanks for taking the time to read this, hopefully many of my questions
will be answered once Rajeev’s book is
republished(by the way, when will that be? Any updates Mr. Mason?)
Sorry if my question is stupid, but I’m a newbie so what do you expect 
M.
Excuse me, I fraised that question horrible wrong… I’m going to
have to try again…
M.
MM wrote:
Hi,
Still learning here and was hoping I could get a little insight on
kernel dll’s. Just finished reading the NT Insider article on this,
but I’m left with several questions.
http://www.osronline.com/article.cfm?id=171
First, how does the IO manager react if the kernel dll calls a
function like ZwCreateFile / ReadFile? Calling ZwCreateFile in
a FSFD will cause re-entry, but what about if the ZwCreateFile is
called from a kernel dll?
Second, am I completely wrong, or if the dll in the above example
never calls IoCreateDevice the Create generated by the
Zw… calls should never re-enter the FSFD’s stack? I’m kinda thinking
the IO Manager wouldn’t associate the created Irp
with the FS driver stack. (however, after the Zw… routines complete,
the info obtained would be sent back to the caller of the
dll function, for example a CRC)
I understand how Irp’s are passed from driver to driver down the
stack, but what happens when a dll is inserted and the dll
creates an Irp of it’s own; could someone explain this a little
further please (having trouble finding documentation on this).
Thanks for taking the time to read this, hopefully many of my
questions will be answered once Rajeev’s book is
republished(by the way, when will that be? Any updates Mr. Mason?)
Sorry if my question is stupid, but I’m a newbie so what do you expect
M.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Let me try again: basically, can a kernel dll be used in a way that is
simular to the shadow device model to prevent
re-entry?
Basically this is what I’m getting at.
M.
MM wrote:
Hi,
Still learning here and was hoping I could get a little insight on
kernel dll’s. Just finished reading the NT Insider article on this,
but I’m left with several questions.
http://www.osronline.com/article.cfm?id=171
First, how does the IO manager react if the kernel dll calls a
function like ZwCreateFile / ReadFile? Calling ZwCreateFile in
a FSFD will cause re-entry, but what about if the ZwCreateFile is
called from a kernel dll?
Second, am I completely wrong, or if the dll in the above example
never calls IoCreateDevice the Create generated by the
Zw… calls should never re-enter the FSFD’s stack? I’m kinda thinking
the IO Manager wouldn’t associate the created Irp
with the FS driver stack. (however, after the Zw… routines complete,
the info obtained would be sent back to the caller of the
dll function, for example a CRC)
I understand how Irp’s are passed from driver to driver down the
stack, but what happens when a dll is inserted and the dll
creates an Irp of it’s own; could someone explain this a little
further please (having trouble finding documentation on this).
Thanks for taking the time to read this, hopefully many of my
questions will be answered once Rajeev’s book is
republished(by the way, when will that be? Any updates Mr. Mason?)
Sorry if my question is stupid, but I’m a newbie so what do you expect
M.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Kernel DLLs don’t have anything to do with I/O manager
or FSFD stack or ZwAnything.
Imagine them as a part of your driver, just another module.
There is no another difference.
L.
Ok then, much of what I was reading made them sound like user mode
Dll’s; as a matter of fact a lot of
what I read drew straight comparisons. The articles made it sound as if
you could call a routine and it
would run in it’s own mem space and work independently of the driver.
So your saying dll’s can not use Zw routines to read files? And if they
*could*, the Irp would re-enter my
driver anyways?
Ladislav Zezula wrote:
Kernel DLLs don’t have anything to do with I/O manager
or FSFD stack or ZwAnything.
Imagine them as a part of your driver, just another module.
There is no another difference.
L.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
> So your saying dll’s can not use Zw routines to read files? And if they
No. I am saying that in kernel mode DLLs, you can do exactly
same things like in drivers.
L.
>So your saying dll’s can not use Zw routines to read files?
Ofcourse you can.
Amitrajit
Ladislav, Developer:
>So your saying dll’s can not use Zw routines to read files?
I miss understood, miss read, what ever you want to call it. Shear
stupidity would also work… Sorry guys, half asleep here, been up all
night.
I was just wondering what happens to a Create request that is the
product of a dll. If I understand Ladislav, the Create Irp generated in
the dll will re-enter my driver just as if my driver called ZwCreateFile
itself. Right?
Just wana make sure I got this straight, and sorry for not being clear
within my OP.
M.
MM wrote:
Ladislav, Developer:
> >So your saying dll’s can not use Zw routines to read files?
I miss understood, miss read, what ever you want to call it. Shear
stupidity would also work… Sorry guys, half asleep here, been up all
night.
I was just wondering what happens to a Create request that is the
product of a dll. If I understand Ladislav, the Create Irp generated in
the dll will re-enter my driver just as if my driver called ZwCreateFile
itself. Right?
Yes. The IRP_MJ_CREATE dispatch of the target device’s
driver is called, just like it is if any piece of code
calls ZwCreateFile.
(The fact that the code happened to be loaded into memory
from a ‘kernel dll’ has no relevance.)
Thanks,
Joseph
> First, how does the IO manager react if the kernel dll calls a function
like ZwCreateFile / ReadFile? Calling ZwCreateFile in
a FSFD will cause re-entry, but what about if the ZwCreateFile is called
from a kernel dll?
ZwCreateFile works the same be it called from the kernel DLL or from the usual
driver.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Thank you sir,
"The IRP_MJ_CREATE dispatch of the target device’s
driver is called, "
That is exactly what I was wanting to know. I found some “bad” info
online the other night that implied otherwise…
M.
Joseph Galbraith wrote:
MM wrote:
> Ladislav, Developer:
>
>> >So your saying dll’s can not use Zw routines to read files?
>
>
> I miss understood, miss read, what ever you want to call it. Shear
> stupidity would also work… Sorry guys, half asleep here, been up
> all night.
>
> I was just wondering what happens to a Create request that is the
> product of a dll. If I understand Ladislav, the Create Irp generated
> in the dll will re-enter my driver just as if my driver called
> ZwCreateFile itself. Right?
Yes. The IRP_MJ_CREATE dispatch of the target device’s
driver is called, just like it is if any piece of code
calls ZwCreateFile.
(The fact that the code happened to be loaded into memory
from a ‘kernel dll’ has no relevance.)
Thanks,
Joseph
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com