Leaving the code aside… It’s very strange that you are getting a callback
for IRP_MJ_WRITE (0x04).
I would recommend that you make sure that you have the END marker in the
callbacks array. And then do a clean build once again.
Regards,
Ayush Gupta
AI Consulting
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Manav Deshmukh
Sent: Saturday, April 03, 2010 2:25 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Minispy filter on XP
FLT_PREOP_CALLBACK_STATUS
SpyPreOperationCallback (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
PRECORD_LIST recordList;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
UNICODE_STRING defaultName;
PUNICODE_STRING nameToUse;
NTSTATUS status;
#if MINISPY_NOT_W2K
WCHAR name[MAX_NAME_SPACE/sizeof(WCHAR)];
#endif
recordList = SpyNewRecord();
if (recordList) {
if (FltObjects->FileObject != NULL) {
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
MiniSpyData.NameQueryMethod,
&nameInfo );
} else {
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS( status )) {
nameToUse = &nameInfo->Name;
if (FlagOn( MiniSpyData.DebugFlags, SPY_DEBUG_PARSE_NAMES )) {
status = FltParseFileNameInformation( nameInfo );
ASSERT(NT_SUCCESS(status));
}
} else {
#if MINISPY_NOT_W2K
NTSTATUS lstatus;
PFLT_FILE_NAME_INFORMATION lnameInfo;
//
// If we couldn’t get the “normalized” name try and get the
// “opened” name
//
if (FltObjects->FileObject != NULL) {
//
// Get the opened name
//
lstatus = FltGetFileNameInformation( Data,
FLT_FILE_NAME_OPENED |
FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP,
&lnameInfo );
if (NT_SUCCESS(lstatus)) {
#pragma prefast(suppress:__WARNING_BANNED_API_USAGE, “reviewed and safe
usage”)
(VOID)_snwprintf( name,
sizeof(name)/sizeof(WCHAR),
L"<%08x> %wZ",
status,
&lnameInfo->Name );
FltReleaseFileNameInformation( lnameInfo );
} else {
//
// If that failed report both NORMALIZED status and
// OPENED status
//
#pragma prefast(suppress:__WARNING_BANNED_API_USAGE, “reviewed and safe
usage”)
(VOID)_snwprintf( name,
sizeof(name)/sizeof(WCHAR),
L"OpenedStatus=%08x>",
status,
lstatus );
}
} else {
#pragma prefast(suppress:__WARNING_BANNED_API_USAGE, “reviewed and safe
usage”)
(VOID)snwprintf( name,
sizeof(name)/sizeof(WCHAR),
L"" );
}
RtlInitUnicodeString( &defaultName, name );
nameToUse = &defaultName;
#else
//
// We were unable to get the String safe routine to work on W2K
// Do it the old safe way
//
RtlInitUnicodeString( &defaultName, L"" );
nameToUse = &defaultName;
#endif //MINISPY_NOT_W2K
}
SpySetRecordName( &(recordList->LogRecord), nameToUse );
if (NULL != nameInfo) {
FltReleaseFileNameInformation( nameInfo );
}
SpyLogPreOperationData( Data, FltObjects, recordList );
if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN) {
SpyPostOperationCallback( Data,
FltObjects,
recordList,
0 );
returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
} else {
*CompletionContext = recordList;
returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
}
return returnStatus;
}
FLT_POSTOP_CALLBACK_STATUS
SpyPostOperationCallback (
inout PFLT_CALLBACK_DATA Data,
in PCFLT_RELATED_OBJECTS FltObjects,
in PVOID CompletionContext,
in FLT_POST_OPERATION_FLAGS Flags
)
{
PRECORD_LIST recordList;
PRECORD_LIST reparseRecordList = NULL;
PLOG_RECORD reparseLogRecord;
PFLT_TAG_DATA_BUFFER tagData;
ULONG copyLength;
UNREFERENCED_PARAMETER( FltObjects );
recordList = (PRECORD_LIST)CompletionContext;
if (FlagOn(Flags,FLTFL_POST_OPERATION_DRAINING)) {
SpyFreeRecord( recordList );
return FLT_POSTOP_FINISHED_PROCESSING;
}
SpyLogPostOperationData( Data, recordList );
if (tagData = Data->TagData) {
reparseRecordList = SpyNewRecord();
if (reparseRecordList) {
//
// only copy the DATA portion of the information
//
RtlCopyMemory( &reparseRecordList->LogRecord.Data,
&recordList->LogRecord.Data,
sizeof(RECORD_DATA) );
reparseLogRecord = &reparseRecordList->LogRecord;
copyLength = FLT_TAG_DATA_BUFFER_HEADER_SIZE +
tagData->TagDataLength;
if(copyLength > MAX_NAME_SPACE) {
copyLength = MAX_NAME_SPACE;
}
//
// Copy reparse data
//
RtlCopyMemory(
&reparseRecordList->LogRecord.Name[0],
tagData,
copyLength
);
reparseLogRecord->RecordType |= RECORD_TYPE_FILETAG;
reparseLogRecord->Length += (ULONG) ROUND_TO_SIZE( copyLength,
sizeof( PVOID ) );
}
}
SpyLog( recordList );
if (reparseRecordList) {
SpyLog( reparseRecordList );
}
if ((FltObjects->Transaction != NULL) &&
(Data->Iopb->MajorFunction == IRP_MJ_CREATE) &&
(Data->IoStatus.Status == STATUS_SUCCESS)) {
SpyEnlistInTransaction( FltObjects );
}
return FLT_POSTOP_FINISHED_PROCESSING;
}
On Fri, Apr 2, 2010 at 1:20 PM, Ayush Gupta wrote:
Post your pre callback and post callback functions.
Regards,
Ayush Gupta
AI Consulting
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Manav Deshmukh
Sent: Saturday, April 03, 2010 1:35 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Minispy filter on XP
Here is my callback registration function.
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
SpyPreOperationCallback,
SpyPostOperationCallback },
{ IRP_MJ_SHUTDOWN,
0,
SpyPreOperationCallback,
NULL },
{ IRP_MJ_OPERATION_END }
};
On Fri, Apr 2, 2010 at 12:57 PM, Lijun Wang wrote:
Check your FLT_OPERATION_REGISTRATION definition. Did you put an end marker
to the end of the structure? Otherwise, filter manager may use some
uninitialized data and treat them as your callback address.
Lijun
From: Manav Deshmukh
To: Windows File Systems Devs Interest List
Sent: Fri, April 2, 2010 2:59:06 PM
Subject: [ntfsd] Minispy filter on XP
Hi
I have compiled minispy filter driver from WinDDK\6001.18001 on windows XP
(32-bit). I just have following two callbacks registered.
{ IRP_MJ_CREATE,
0,
SpyPreOperationCallback,
SpyPostOperationCallback },
{ IRP_MJ_SHUTDOWN,
0,
SpyPreOperationCallback,
NULL },
This filter is attached to E drive. (USB drive)
I am trying to copy a file from C drive to say E drive. On windows XP SP2,
this driver works fine, I get 9 precallbacks and corresponding 9
postcallbacks. On Windows XP SP3, I am getting additional postcallbacks.
Data->Flags = 0x80001
Data->iopb->IrpFlags = 0x43
Data->Iopb->MajorFunction =0x04
Not sure why I am getting this callback? Am I missing something? This
driver crashes as allocations are done in preallback function and
CompletionContext is not checked for NULL value before accessing the
recordList.
Regards -Manav
— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer