In my filter driver, the 1st time I’m notified that a file is being written
during IRP_MJ_WRITE I would like to capture the contents before the IRP is
processed. To this end, I’m trying to open that file for reading, suck up
the contents, close the file, and then allow the Write to complete.
I’ve tried 2 approaches so far, and both fail. One is with
ObOpenObjectByPointer. When I do this the open hangs in
KeWaitForSingleEvent.
Status = ObOpenObjectByPointer(irpSp->FileObject,OBJ_KERNEL_HANDLE,
(PACCESS_STATE) NULL,
FILE_READ_DATA,
*IoFileObjectType,
KernelMode,
&FileHandle);
The 2nd approach was to open the file using
IoCreateFileSpecifyDeviceObjectHint , this failed when I tried to close the
file, again hanging in KeWaitForSingleObject
InitializeObjectAttributes(&ObjAttrs,
&FullPathName,OBJ_OPENIF|OBJ_KERNEL_HANDLE,NULL,NULL);
Status = IoCreateFileSpecifyDeviceObjectHint(&FileHandle,
GENERIC_READ|FILE_READ_ATTRIBUTES|FILE_READ_DATA|READ_CONTROL,
&ObjAttrs,
&StatusBlock,
0, //allocation size
FILE_ATTRIBUTE_NORMAL,
0, //share access
FILE_OPEN_IF, // disposition
FILE_NON_DIRECTORY_FILE, // CreateOptions,
0, // EaBuffer OPTIONAL,
0 , // EaLength
CreateFileTypeNone, // CreateFileType
NULL, // extra params
IO_IGNORE_SHARE_ACCESS_CHECK, // Options
pFADevExt->AttachedToDeviceObject
);
Is there something wrong in these attempts, i.e. one of zillion different
permutations of the flags?
Or is the approach fundamentally flawed?
Thanks
Larry