Hi folks,
I’ve written a filter driver that sits above the NTFS file system to
encrypt data. On receiving a create/open request for an encrypted file, my
driver processes the IRP and handles all further operations for the file.
The filtered file system never receives requests for these files. This
works fine for normal file access.
However, when opening the file for memory mapped access, I get an access
violation in NTFS (details below). This occurs during the processing of
CreateFileMapping. What is worrying is that my driver never receives an IRP
or FastIO call to process this function, the processing goes straight to
NTFS, which knows nothing about my FILE_OBJECT. The exception is caused
when NTFS tries to read its FsContext structure, which is smaller than in
my driver, hitting unallocated memory.
Has anyone seen anything like this before? Do you know how I can stop NTFS
from receiving this processing request?
Many thanks,
Andy
The windbg stack dump is as follows:
Windows 2000 Professional Checked
813d95e8 00000000 f70fccbc Ntfs!NtfsDeleteFile+0x429
813d95e8 00000000 80063418 ntoskrnl!VdmSkipNpxInstruction+0x68
f70fcd10 000f0005 00000000 ntoskrnl!IoWMISystemControl+0x425
0012f804 000f0005 00000000 ntoskrnl!CmGetSystemControlValues+0x94
badb0d00 0012f7b0 12345678 ntoskrnl!MmFlushVirtualMemory+0x94
00000054 00000000 00000002 NTDLL!RtlpStatusTable+0x3e3
fe0000c6 563074ff dd2f0868 Win32 Test Harness+0x2016
00000000 00000000 00000000 0xf70c758b
Windows 2000 Professional Free
814fd488 08000000 f74b1cc8 Ntfs!NtfsAcquireForCreateSection+0x11
814fd488 00000000 00000000 ntoskrnl!FsRtlAcquireFileExclusive+0x32
f74b1d1c 000f0005 00000000 ntoskrnl!MmCreateSection+0x238
0012f810 000f0005 00000000 ntoskrnl!NtCreateSection+0x129
0012f810 000f0005 00000000 ntoskrnl!KiSystemService+0xc4
00000058 00000000 00000002 ntdll!ZwCreateSection+0xb
00000058 00000000 00000002 0x402016
fe0000c6 42850fff 8b0002ae 0x402016
00000000 00000000 00000000 0xf70c758b
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com