I’m trying to hide a magic string in the beginning of files in a special folder.
I modify all read/write off by adding the special string’s length to it.
I intercept IRP_MJ_SET_INFORMATION/IRP_MJ_QUERY_INFORMATION the following way:
in IRP_MJ_SET_INFORMATION:
I prevent any setting of the current byte offset to an offset smaller than my string’s length.
I also set the end of file offset’s minimum to be the string’s length and increase the allocation size (when needed) to the special string’s length.
in IRP_MJ_QUERY_INFORMATION:
I always report the file’s eof position, allocation size and current byte offset to be smaller by the special string’s length.
Read and Write work fine but I never get the “correct” (that is, the modified) file size in user space.
Have you also munged the data in the IRP_MJ_NETWORK_QUERY_OPEN path?
–Andrew
On 10/30/08 5:33 AM, in article xxxxx@ntfsd, “xxxxx@hotmail.com”
wrote:
> Hello. > > I’m trying to hide a magic string in the beginning of files in a special > folder. > I modify all read/write off by adding the special string’s length to it. > > I intercept IRP_MJ_SET_INFORMATION/IRP_MJ_QUERY_INFORMATION the following way: > > in IRP_MJ_SET_INFORMATION: > I prevent any setting of the current byte offset to an offset smaller than my > string’s length. > I also set the end of file offset’s minimum to be the string’s length and > increase the allocation size (when needed) to the special string’s length. > in IRP_MJ_QUERY_INFORMATION: > I always report the file’s eof position, allocation size and current byte > offset to be smaller by the special string’s length. > > Read and Write work fine but I never get the “correct” (that is, the modified) > file size in user space. > > Any ideas why? > > Ariel >
My first impression is that you may be having trouble with keeping
consistency with memory mapped files. Cache Manager and NTFS have
un-filterable handshakes which help to keep VDL and EOF in sync.
In order to overcome this limitation you would have to use shadow file
objects so that you would own all the communication between CC and the
files.
On 10/31/08 10:54 AM, in article xxxxx@ntfsd, “xxxxx@hotmail.com”
wrote:
> Hey. > > Not yet - I’ll give it a go. > > I’m having trouble to execute files I added the header too - I think it has > something to do with the EOF information, but nothing conclusive yet. > > Ariel >
I did monitor the IRP_MJ_NETWORK_QUERY_OPEN path, but it isn’t called for any “interesting file”
As for caching - I disable all caching in the system, and right now I just want it to execute…
I think I mess up the replies somehow, but can’t seem to find out how.
When I try to execute a program, say the windows calculator (calc.exe), I get a prompt saying the program is too big to fit in memory.
Web Results 1 - 10 of about 2,240 for program too big oldnewthing.
(0.21 seconds)
Search ResultsThe Old New Thing : Why does a corrupted binary
sometimes result …re: Why does a corrupted binary sometimes result
in “Program too big to fit in memory”? Monday, January 30, 2006 2:48
PM by oldnewthing … blogs.msdn.com/oldnewthing/archive/2006/01/30/519388.aspx - 64k -
Cached - Similar pages
please pardon me if it appears like a bad joke
regards
raj_r
On 11/2/08, xxxxx@hotmail.com wrote: > Hello Andrew. > > I did monitor the IRP_MJ_NETWORK_QUERY_OPEN path, but it isn’t called for any “interesting file” > As for caching - I disable all caching in the system, and right now I just want it to execute… > I think I mess up the replies somehow, but can’t seem to find out how. > > When I try to execute a program, say the windows calculator (calc.exe), I get a prompt saying the program is too big to fit in memory. > > Ariel. > > > — > NTFSD is sponsored by OSR > > For our schedule debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > You are currently subscribed to ntfsd as: xxxxx@gmail.com > To unsubscribe send a blank email to xxxxx@lists.osr.com >
Hehe, that’s a problem.
Nothing comes to mind for that error. Could you send the exact error code
which is being propagated?
How did you disable all caching in the system? I can see you turning off the
pagefile, and thus turning off the paging IO. However, I don’t think you
will be able to turn off Cache Manager for memory mapped files (which is the
case which will not work).
–Andrew Thomson
–Microsoft
On 11/2/08 12:35 AM, in article xxxxx@ntfsd, “xxxxx@hotmail.com”
wrote:
> Hello Andrew. > > I did monitor the IRP_MJ_NETWORK_QUERY_OPEN path, but it isn’t called for any > “interesting file” > As for caching - I disable all caching in the system, and right now I just > want it to execute… > I think I mess up the replies somehow, but can’t seem to find out how. > > When I try to execute a program, say the windows calculator (calc.exe), I get > a prompt saying the program is too big to fit in memory. > > Ariel. > >
Does the “special string” need to be at the beginning of the file, could
you write it to an ADS instead?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: 30 October 2008 12:33
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Manipulating
IRP_MJ_SET_INFORMATION/IRP_MJ_QUERY_INFORMATION
*** WARNING ***
This mail has originated outside your organization, either from an
external partner or the Global Internet.
Keep this in mind if you answer this message.
Hello.
I’m trying to hide a magic string in the beginning of files in a special
folder.
I modify all read/write off by adding the special string’s length to it.
I intercept IRP_MJ_SET_INFORMATION/IRP_MJ_QUERY_INFORMATION the
following way:
in IRP_MJ_SET_INFORMATION:
I prevent any setting of the current byte offset to an offset smaller
than my string’s length.
I also set the end of file offset’s minimum to be the string’s length
and increase the allocation size (when needed) to the special string’s
length.
in IRP_MJ_QUERY_INFORMATION:
I always report the file’s eof position, allocation size and current
byte offset to be smaller by the special string’s length.
Read and Write work fine but I never get the “correct” (that is, the
modified) file size in user space.
Any ideas why?
Ariel
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit: http://www.osr.com/seminars
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, November 03, 2008 3:53 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Manipulating IRP_MJ_SET_INFORMATION/IRP_MJ_QUERY_INFORMATION
Andrew - I wasn’t exact about caching, in the pre create method for all “interesting” files I do the following:
oh I can’t use streams since i need to support FAT and CIFS as well…
What if somebody opens your file with FILE_FLAG_NO_BUFFERING?
In this mode i/o must be aligned on sector (or cluster?) size.
So you can’t just shift the offset by arbitrary number < sector size.
Pavel - Anticipating the problem, I use the file’s volume object to find out a sector size (in my case, it’s 0x200) just like in swapBuffers, to always shift read/write/set/query (annotate as ‘all operations’ starting now) by a full sector.
The problem persists.
I found out that the only IRP_MJ_SET_INFORMATION i receive is of type FileEndOfFileInformation.
Another thing I found was that when I viewed the file as binary my header was added correctly to the beginning of it, but the file was 1 sector size too long e.g:
calc.exe was originally 0x1c000 long and after my header (of length 0x200) was added it was 0x1c600.
I don’t understand this behavior.
Well, it’s not working - is the logic of ALWAYS reporting the allocation size/EOF to be less by one sector’s length and setting the allocation size/EOF to be longer by one sector’s length right?