Very intresting discussion, a lots of questions about details and no
answers for them.
Slava,
I must admit you was right. I didn’t understand you right away because of
my English. I can read manuals well, can read conversations not well, and
can write badly.
As for as my DMK, it’s protected against the deadlock only because before
writing to underlying FSD i copy original buffer to temporary one and
complete original paging write. But i use non-cached i/o anyway to avoid
double file caching. As for as converting non-cached to cached, now i
completely agree with you that this is ok and this couldn’t lead to
something bad. I just reversed NTFS and saw if i have compressed file NTFS
will convert non-cached to cached. This would be write-through caching, but
NTFS will set this flag for FILE_OBJECT after it call CcCanIWrite. So there
is a place for deadlock with bad DMK design.
Hi Anatoly/Slavaim,
Thanks for the help.
Now I can intercept the write IRP using the way you mentioned.
On Mon, Nov 21, 2016 at 1:24 AM, Anatoly Mikhailov
wrote:
> Slava,
>
> I must admit you was right. I didn’t understand you right away because of
> my English. I can read manuals well, can read conversations not well, and
> can write badly.
>
> As for as my DMK, it’s protected against the deadlock only because before
> writing to underlying FSD i copy original buffer to temporary one and
> complete original paging write. But i use non-cached i/o anyway to avoid
> double file caching. As for as converting non-cached to cached, now i
> completely agree with you that this is ok and this couldn’t lead to
> something bad. I just reversed NTFS and saw if i have compressed file NTFS
> will convert non-cached to cached. This would be write-through caching, but
> NTFS will set this flag for FILE_OBJECT after it call CcCanIWrite. So there
> is a place for deadlock with bad DMK design.
>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
>
Hi all,
Now I need one more help.
I want to map a network share to X: and only encrypt/decrypt the reads and writes to X:
I am trying to get the NT device name of X: using the function ZwQuerySymbolicLinkObject.
Using Object Viewer, I found the symbolic link \Sessios\0\DosDevices\00000000-0000xxxx\X:
The 16 digit(00000000-0000xxxx) varies form system to system.
Please help me in clean way of doing this.