Hello,
I am working on a filter driver for some time. It filters various kinds
of devices including CD/DVD and memory card reader. Right now, I am
attempting to detect a situation when a media (CD/DVD, memory card…)
is removed from the device. When the media is formatted with certain
file system, such as FAT or CDFS, the corresponding volume is not
dismounted; its VDO is not removed.
I used the IrpTracker tool to do some monitoring and found that the file
system driver periodically checks whether a media is inserted in the
device. The IRP, however, is not sent to the top device in the storage
stack but is directly passed to the device on which the file system
(VDO) is mounted. The same applies for communication between the file
system driver and underlying storage stack.
Is there a way how to monitor the communication between file system
driver and the corresponding device in device stack? For example, it is
possible to force the FS driver to communicate with a different device
than on which the file system is mounted? I am looking for a kind of
documented way, no hooking is desirable if possible.
To give an example:
A media is isnerted into the CD-ROM drive. The file system is
represented by an unnamed device of the CDFS file system driver and is
mounted on the \Device\CdRom0 device. I need to monitor communication
made between the file system and the \Device\CdRom0 device.
Thanks for any help and suggestions.
Best regards
Martin Dráb
Dne 11. 7. 2014 15:00, Scott Noone napsal(a):
This is why kernel HANDLEs exist. See the OBJ_KERNEL_HANDLE flag.
-scott
OSR
@OSRDriverswrote in message news:xxxxx@ntfsd…
In defferent places we have different process contexts… and handle
opened in one process context became invalid in other, so for instance i
can’t close handle in FilterMessage callback that was opened in system
process context during driver entry routine.Is the best way to use FltQueueGenericWorkItem approach and Queue all
open-close handles operations to system process context?
That makes code less readble and more complex… but i don’t see other
choise.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer