Need some help with Shadow Device!!!

NTFSD
1

Hi All,

I need some help getting a shadow device to work properly. I can open a
file through my Shadow device from user mode, but if do it from my
normal hook routine, I get a blue screen.

I am trying to open a file while I am processing a IRP_MJ_CREATE in a
filter that is monitoring LanmanRedirector

  1. So I have created a normal device and attached it to
    LanmanRedirector. Since I only plan on hooking lanmandredirector, I
    store
    the device object handle in a global var called realdevice. This is set
    to the handle I get back IoAttachDeviceToDeviceStack.

  2. I also have created another device called MyShadowDevice. It is not
    attached to anything. Created a symbolic link for it called
    MyShadowFilter.

  3. In my dispatch routine I look at the DeviceExtension, if it of type
    shadow it goes to MyShadowHook, if not it goes to my normal hook.

  4. From user mode I open
    \\.\Global\MyShadowFilter\computer\share\a.txt
    <file:> and this works ok, I can open
    and read the file.

    5)If I try to open a the same file using ZwCreateFile
    \Device\MyShadowFilter\computer\share\a.txt
    <file:> in my normal
    hook routine, I get a blue screen.

    My shadow hook Routine looks like this

    NTSTATUS
    GXHSMShadowHookRoutine(
    PDEVICE_OBJECT HookDevice,
    IN PIRP Irp
    )
    {
    PIO_STACK_LOCATION currentIrpStack =
    IoGetCurrentIrpStackLocation(Irp);
    PIO_STACK_LOCATION nextIrpStack =
    IoGetNextIrpStackLocation(Irp);

    PFILE_OBJECT FileObject = NULL;
    PGXHSM_EXTENSION hookExt;

    FileObject = currentIrpStack->FileObject;

    hookExt = HookDevice->DeviceExtension;

    IoSkipCurrentIrpStackLocation(Irp);

    FileObject->DeviceObject = realDevice;

    IoSkipCurrentIrpStackLocation(Irp);
    return (IoCallDriver( realDevice, Irp ));

    }

    Any insight would be greatly appreciated.

    Thanks,
    Jeremy</file:></file:>

2

> 1) So I have created a normal device and attached it to

LanmanRedirector. Since I only plan on hooking
lanmandredirector, I
store the device object handle in a global var called
realdevice. This is set
to the handle I get back IoAttachDeviceToDeviceStack.

I don’t know if this is true or not, but can’t there be more
devices for LanMan Redirector ? E.g. mapped network volumes ?

5)If I try to open a the same file using ZwCreateFile
\Device\MyShadowFilter\computer\share\a.txt
<file:>
> in my normal
> hook routine, I get a blue screen.

What kind of blue screen ? Did you try to step into the
ZwCreateFile call or analyze the blue screen in WinDbg ?

I remember that I worked on the same method some days ago. The
ZwCreateFile didn’t work (with STATUS_ACCESS_VIOLATION), because
the KeGetPreviousMode returned UserMode and the pointers to file
name were considered as wrong.

Maybe call of NtCreateFile will help ?

L.


VOLNY klub: Modemisti vseho druhu, spojte se!
http://klub.volny.cz</file:>

3

What bug check do you get? Is it NO_MORE_IRP_STACK_LOCATIONS? If so then maybe you need DeviceObject->StackSize for your shadow device?
“Jeremy Schwartz” wrote in message news:xxxxx@ntfsd…
Hi All,

I need some help getting a shadow device to work properly. I can open a file through my Shadow device from user mode, but if do it from my normal hook routine, I get a blue screen.

I am trying to open a file while I am processing a IRP_MJ_CREATE in a filter that is monitoring LanmanRedirector

1) So I have created a normal device and attached it to LanmanRedirector. Since I only plan on hooking lanmandredirector, I store

the device object handle in a global var called realdevice. This is set to the handle I get back IoAttachDeviceToDeviceStack.

2) I also have created another device called MyShadowDevice. It is not attached to anything. Created a symbolic link for it called MyShadowFilter.

3) In my dispatch routine I look at the DeviceExtension, if it of type shadow it goes to MyShadowHook, if not it goes to my normal hook.

4) From user mode I open \\.\Global\MyShadowFilter\computer\share\a.txt and this works ok, I can open and read the file.

5)If I try to open a the same file using ZwCreateFile \Device\MyShadowFilter\computer\share\a.txt in my normal hook routine, I get a blue screen.

My shadow hook Routine looks like this

NTSTATUS

GXHSMShadowHookRoutine(

PDEVICE_OBJECT HookDevice,

IN PIRP Irp

)

{

PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);

PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);

PFILE_OBJECT FileObject = NULL;

PGXHSM_EXTENSION hookExt;

FileObject = currentIrpStack->FileObject;

hookExt = HookDevice->DeviceExtension;

IoSkipCurrentIrpStackLocation(Irp);

FileObject->DeviceObject = realDevice;

IoSkipCurrentIrpStackLocation(Irp);

return (IoCallDriver( realDevice, Irp ));

}

Any insight would be greatly appreciated.

Thanks,

Jeremy

4

I get NO_MORE_IRP_STACK_LOCATIONS if I don’t do
IoSkipCurrentIrpStackLocation. But just in case I set the stackSize
anyway. Same thing.

The weird thing is I don’t get a bug check reason. If I analyze the dump
will it show me??

Thanks

-----Original Message-----
From: Lyndon J Clarke [mailto:xxxxx@neverfailgroup.com]
Sent: Tuesday, January 27, 2004 5:10 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Need some help with Shadow Device!!!

What bug check do you get? Is it NO_MORE_IRP_STACK_LOCATIONS? If so then
maybe you need DeviceObject->StackSize for your shadow device?
“Jeremy Schwartz” wrote in message
news:xxxxx@ntfsd…
Hi All,

I need some help getting a shadow device to work properly. I can
open a file through my Shadow device from user mode, but if do it from
my normal hook routine, I get a blue screen.

I am trying to open a file while I am processing a IRP_MJ_CREATE
in a filter that is monitoring LanmanRedirector

1) So I have created a normal device and attached it to
LanmanRedirector. Since I only plan on hooking lanmandredirector, I
store
the device object handle in a global var called realdevice. This
is set to the handle I get back IoAttachDeviceToDeviceStack.

2) I also have created another device called MyShadowDevice. It
is not attached to anything. Created a symbolic link for it called
MyShadowFilter.

3) In my dispatch routine I look at the DeviceExtension, if it
of type shadow it goes to MyShadowHook, if not it goes to my normal
hook.

4) From user mode I open
\\.\Global\MyShadowFilter\computer\share\a.txt
<file:> and this works ok, I can open
and read the file.

5)If I try to open a the same file using ZwCreateFile
\Device\MyShadowFilter\computer\share\a.txt
<file:> in my normal
hook routine, I get a blue screen.

My shadow hook Routine looks like this

NTSTATUS
GXHSMShadowHookRoutine(
PDEVICE_OBJECT HookDevice,
IN PIRP Irp
)
{
PIO_STACK_LOCATION currentIrpStack =
IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack =
IoGetNextIrpStackLocation(Irp);

PFILE_OBJECT FileObject = NULL;
PGXHSM_EXTENSION hookExt;

FileObject = currentIrpStack->FileObject;

hookExt = HookDevice->DeviceExtension;

IoSkipCurrentIrpStackLocation(Irp);

FileObject->DeviceObject = realDevice;

IoSkipCurrentIrpStackLocation(Irp);
return (IoCallDriver( realDevice, Irp ));

}

Any insight would be greatly appreciated.

Thanks,
Jeremy


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@commvault.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</file:></file:>