hi, all
i was the first time to write an IFS driver and also the first time to
write a DDK kernel-mode driver.
i have a lot of question did not find answer at osronline(maybe it is toooo
simple), Is there anyone could help me?
i should do a drive to watch any application do sth. with any
file(txt,doc,xls…etc.). and there is encrypte opertation to the file
for example: File a.txt only could be read. File b.doc could not be opened.
So, i want to determine the file at IRP_MJ_CREATE, and save the fileobject
in hashtable(just like filemon). And then at the IRP_MJ_READ, i prepare the
irpSp->FileObject with the element of hashtable, if the irpSp->FileObject
has alread in hashtable and it is use Irp->userbuffer to save the read
result, then i change the first 4 byte data with a special string (just test
can i change the data, use “AAAA” or anything else).Or at IRP_MJ_WRITE, just
like IRP_MJ_READ, i change the data in Irp->userbuffer, and send to the next
driver.At last at IRP_MJ_CLOSE, i delete the fileobject which is in the
hashtable.
For test, i use notepad to open a txt file at first.(i know MS office is
more complex)
i have met A LOT OF problem.
- During the double click a txt file to open it. i found a lot of access by
explore and notepad. There are open the real file of this txt, and open the
link of this txt and open a file which name is like
D:\testfolder\test.txt:|&data&“#$!”#$!$(is this a stream type?). Some time
only read 24 byte from the file(i think it is read some information by
explore) and some time will read the whole file. Shall i watch all kind of
these file access?
2.Even if i change the data of Irp->userbuffer during the IRP_MJ_READ,
finally when the txt file is opened, it displaed original data. Did i miss
sth.??(when in IRP_MJ_WRITE it is ok, i successfully to change the data to
be wriet)
3.i also want to disable the file copy from explore sometimes. Could i do
this in the IFS driver? In the driver , i only get 2 file opened IRP, and
read, write IRP. But i don’t know current is copying.
4.i have the encryptiong DLL from other company. If i want to use DLL to do
the operationg, shall i use IOCTRL to transfer the data from kernel mode to
an usermode application to encrypt it?
i think maybe there are some reason of FastIo or Buffered IO. i only find
some document of it at MS and OSRONLINE. Is there some sample of it?
i hope you can understand my means. If there is any question, please let me
know.
THANK you so much!
–
yours Sean