I am writing a minifilter that looks for a certain file and when this file comes along, I want to return my own information in the reads. In order to get the information in the reads I need to return a buffer from a call to FltSendMessage where the data is retrieved.
Since the buffer could be rather large I need to get this data up from user mode using some form of memory mapping that I can pass up from my service (or pass a pointer down to the service). My question is basically, what would be the best mechanism to accomplish this? The files will be pretty rare that match my criteria for replacing the read buffer, for everything else it will just pass through. Thank you very much for any help in advance!
First why do you consider the buffer to be rather large? Most applications
do not read huge blocks of data at once, but typically something less than
64KB which is not large. So are these files being read by an application
that does large direct reads, so you are sure that you need a huge buffer?
Memory mapping is a great way to create a security hole, and also has
wonderful challenges to handle things like the faillure of the user space
service. If as I suspect you are dealing with less than 64KB at a pop, you
are doing a ton of work for no performance improvement.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
>I am writing a minifilter that looks for a certain file and when this file
>comes along, I want to return my own information in the reads. In order to
>get the information in the reads I need to return a buffer from a call to
>FltSendMessage where the data is retrieved.
>
> Since the buffer could be rather large I need to get this data up from
> user mode using some form of memory mapping that I can pass up from my
> service (or pass a pointer down to the service). My question is basically,
> what would be the best mechanism to accomplish this? The files will be
> pretty rare that match my criteria for replacing the read buffer, for
> everything else it will just pass through. Thank you very much for any
> help in advance!
>
You’re right, I am only reading at most 32KB so if there is not a major performance hit, I will just return it back in a structure from FilterReplyMessage. Thank you Don!
I did some performance measures with inverted call (KM to UM) through pending read request (w/o fast IOs involved). When we need to send request to UM we complete read pending request and wait for response which is simple write. We had concern about KM to US switch overhead, but it turned out that it is more efficient to use smaller buffer and have several trips, than have bigger buffer which would do “pipelining” of several requests into one trip. Ideal buffer size was between 4 and 32kB. The device was DO_DIRECT_IO, so bigger buffer had big overhead probably in allocation/locking of MDL.
In future we plan to do tests also for buffered device. We need either BUFFERED or DIRECT I/O so we can cross process boundaries in KM. You know, communication IRP is filled and completed in different process than it came.
-bg