Passing IRP to lower level driver ??

Dear All,

I am developing an application taking filespy (sample code provided in IFS)
as my base.

I am encountering a very irritating problem in my driver code in
IRP_MJ_WRITE routine. I am capturing IRPs and logging every action

being taken place on file/folders in a “logfile”.

For some files i am not doing logging, like logfile itself and PAGEFILE.sys
etc since they are always in use.So whenever any request

comes on these file i send the request to next driver using SpyPassThrough
and without logging. SpyPassThrough is a dispatch routine for this driver.
It simply passes requests onto the next driver in the stack.

//////////////////
NTSTATUS SpyWrite ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) {

DbgPrint(“Inside SpyWrite”);…
…
.
if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
|| (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
{

DbgPrint(“DO not Log: %wZ,”&tempA);
…
ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
return SpyPassThrough( DeviceObject, Irp );
}
…
DbgPrint(“BEfore end of SpyWrite”);…
}
///////////////

The code works fine. But when this driver is run on a system having an
existing file system filter driver already installed in it (NAV

especially) then whenever the request comes on these files (logfile,
pagefile.sys), above code is executed and then the control again

passes on to IRP_MJ_WRITE routine. And this causes the infinite loop.

When I try restart the system , the system just goes in the above piece of
code and then iterate back to top of the IRP_MJ_WRITE

routine.

and following piece of prints are showin DbgView

Inside SpyWrite
DO not Log: c:\logfile
Inside SpyWrite
DO not Log: c:\logfile
Inside SpyWrite
DO not Log: c:\logfile

and the system doesnot restarts, one has to manually restart the system.
This problem doesnot comes when i run this system on fresh system having no
other file system filter driver attached.

Please suggest how to solve this problem
Regards,
Rohit

How do you get the “tempA”, which you use for
comparison ?

Remember that the filename is valid inside IRP_MJ_CREATE
only !!!

L.

I am getting the filename using::::
/////////////////////////////////////////////////////
UNICODE_STRING tempA;
irpStack = IoGetCurrentIrpStackLocation( Irp );
fileObject = irpStack->FileObject;
fileName = &fileObject->FileName;
devExt = DeviceObject->DeviceExtension;

tempA.MaximumLength = fileName->MaximumLength +
devExt->DeviceName.MaximumLength + 2;
tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
tempA.MaximumLength,‘2leD’);
RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
RtlAppendUnicodeStringToString(&tempA, fileName);
/////////////////////////////////////////////////////

But I don’t think it may be the cause of problem. Is it so ??? If yes,
please please help…

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> How do you get the “tempA”, which you use for
> comparison ?
>
> Remember that the filename is valid inside IRP_MJ_CREATE
> only !!!
>
> L.
>

I have written this part of code in IRP_MJ_WRITE only
Can IoCallDriver be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If yes,
> please please help…
>
> “Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for
> > comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE
> > only !!!
> >
> > L.
> >
>
>
>

FileObject->FileName can only be considered valid in IRP_MJ_CREATE.
You’re using it in IRP_MJ_WRITE, which may or may not be your problem.

Adam Landefeld

“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Oh, you also should be checking for failure of ExAllocatePoolWithTag.

What is the state of tempA in this code (ie, Length, MaximumLength)?
Would your code break if the file name was too long and RtlCopy or
RtlAppend truncated the name?

Adam Landefeld

“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Does the loop breaks if we try to allocate memory without checking its
failure, and the failure does occurs at any point ??

Also, please what should we ideally do if ExAllocatePoolWithTag fails to
allocate memory ???

“Adam Landefeld” wrote in message
news:xxxxx@ntfsd…
Oh, you also should be checking for failure of ExAllocatePoolWithTag.

What is the state of tempA in this code (ie, Length, MaximumLength)?
Would your code break if the file name was too long and RtlCopy or
RtlAppend truncated the name?

Adam Landefeld
--------------
“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I think that is not the problem we can use FileObject->FileName in
IRP_MJ_WRITE also…
can you suggest any other reason behind this. The problem is coming while
other filter driver is present in the memory. otherwise the problem is not
coming.
“Adam Landefeld” wrote in message
news:xxxxx@ntfsd…
FileObject->FileName can only be considered valid in IRP_MJ_CREATE.
You’re using it in IRP_MJ_WRITE, which may or may not be your problem.


Adam Landefeld
--------------
“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Dear Mr Landefeld,

While I was going through the Debugprints in DbgView I saw following line
indicating some error:

cmpFileWrite: error exiting -1073741528

I have not put any sort of debug print of the above kind in my program. What
does the above error implies ???
and what does cmpFileWrite means ??
Can this may be the reason behind the problem ???
Regards,
Rohit

“Adam Landefeld” wrote in message
news:xxxxx@ntfsd…
Oh, you also should be checking for failure of ExAllocatePoolWithTag.

What is the state of tempA in this code (ie, Length, MaximumLength)?
Would your code break if the file name was too long and RtlCopy or
RtlAppend truncated the name?

Adam Landefeld
--------------
“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Also, I got this error in SpyPassThrough rotuine:::
////////////
NTSTATUS status;

ASSERT(IS_FILESPY_DEVICE_OBJECT( DeviceObject ));
DbgPrint(“\nInside SpyPassThrough”);

IoCopyCurrentIrpStackLocationToNext( Irp );

IoSetCompletionRoutine( Irp,
MyCompletion,
NULL,
TRUE,
TRUE,
TRUE);

status = IoCallDriver(
((PFILESPY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)-AttachedToDeviceO
bject, Irp );
DbgPrint(“\nBefore going out of SpyPassThrough”);
return status;
///////////

The exact situation :

1. Firstly the executing point was in spywrite
2. The i called the dispatch routine to pass on the irp to lower level
3. And in spydispatch
   The sequence of dbg points are
4. Debug pts of spywrite
5. DbgPrint(“\nInside SpyPassThrough”);
6. DbgPrint(“\nBefore going out of SpyPassThrough”); and then
   cmpFileWrite: error exiting -1073741528
   and again the control goes to SpyWrite…

Any suggestions are welcome. Please comment!!!

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear Mr Landefeld,
>
> While I was going through the Debugprints in DbgView I saw following line
> indicating some error:
>
> cmpFileWrite: error exiting -1073741528
>
> I have not put any sort of debug print of the above kind in my program.
What
> does the above error implies ???
> and what does cmpFileWrite means ??
> Can this may be the reason behind the problem ???
> Regards,
> Rohit
>
> “Adam Landefeld” wrote in message
> news:xxxxx@ntfsd…
> Oh, you also should be checking for failure of ExAllocatePoolWithTag.
>
> What is the state of tempA in this code (ie, Length, MaximumLength)?
> Would your code break if the file name was too long and RtlCopy or
> RtlAppend truncated the name?
>
> Adam Landefeld
> --------------
> “This posting is provided “AS IS” with no warranties, and confers no
> rights.”
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
> Sent: Friday, April 30, 2004 6:22 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Passing IRP to lower level driver ??
>
> I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
> be a reson behind this problem???
>
> “Rohit Dhamija” wrote in message
> news:xxxxx@ntfsd…
> > I am getting the filename using::::
> > /////////////////////////////////////////////////////
> > UNICODE_STRING tempA;
> > irpStack = IoGetCurrentIrpStackLocation( Irp );
> > fileObject = irpStack->FileObject;
> > fileName = &fileObject->FileName;
> > devExt = DeviceObject->DeviceExtension;
> >
> > tempA.MaximumLength = fileName->MaximumLength +
> > devExt->DeviceName.MaximumLength + 2;
> > tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> > tempA.MaximumLength,‘2leD’);
> > RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> > RtlAppendUnicodeStringToString(&tempA, fileName);
> > /////////////////////////////////////////////////////
> >
> > But I don’t think it may be the cause of problem. Is it so ??? If
> > yes, please please help…
> >
> > “Ladislav Zezula” wrote in message
> news:xxxxx@ntfsd…
> > > How do you get the “tempA”, which you use for comparison ?
> > >
> > > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> > >
> > > L.
> > >
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

If ExAllocatePoolWithTag fails and you don’t handle it, then your driver
will probably bug check when you try to use tempA.Buffer. What you do
when ExAllocateWithTag fails depends on the situation. If you’re just
using the name for logging, perhaps you could simply substitute a static
string like “[Insufficient Resources]”; or you could just fail.

Adam Landefeld

“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 9:34 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

Does the loop breaks if we try to allocate memory without checking its
failure, and the failure does occurs at any point ??

Also, please what should we ideally do if ExAllocatePoolWithTag fails to
allocate memory ???

“Adam Landefeld” wrote in message
news:xxxxx@ntfsd…
Oh, you also should be checking for failure of ExAllocatePoolWithTag.

What is the state of tempA in this code (ie, Length, MaximumLength)?
Would your code break if the file name was too long and RtlCopy or
RtlAppend truncated the name?

Adam Landefeld
--------------
“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 6:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

I have written this part of code in IRP_MJ_WRITE only Can IoCallDriver
be a reson behind this problem???

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> I am getting the filename using::::
> /////////////////////////////////////////////////////
> UNICODE_STRING tempA;
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
> /////////////////////////////////////////////////////
>
> But I don’t think it may be the cause of problem. Is it so ??? If
> yes, please please help…
>
> “Ladislav Zezula” wrote in message
news:xxxxx@ntfsd…
> > How do you get the “tempA”, which you use for comparison ?
> >
> > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> >
> > L.
> >
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m not sure who is printing that message in the debugger. You could
try breaking into the debugger at the right time and looking at the
stack to find out. As for your overall problem, I’m not sure. I did
notice some other things in your code however. It’s always good to
clear such things up so they don’t cause you to miss the real problem.

if((wcsstr(tempA.Buffer, L"\logfile")!=NULL) ||
(wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL)) {

DbgPrint(“DO not Log: %wZ,”&tempA);
…
ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
return SpyPassThrough( DeviceObject, Irp );
} …
DbgPrint(“BEfore end of SpyWrite”);…
}

What do you return if the file is not logfile or Pagefile.sys? What if
the file names on the system were LOGFILE and PAGEFILE.SYS? I recommend
upper-casing both strings you compare.

Maybe to remove SpyPassThrough from the equation you could just inline
the code…

IoSkipCurrentIrpStackLocation( Irp );
Return IoCallDriver( … );

Adam Landefeld

“This posting is provided “AS IS” with no warranties, and confers no
rights.”

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Friday, April 30, 2004 10:49 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

Also, I got this error in SpyPassThrough rotuine:::
////////////
NTSTATUS status;

ASSERT(IS_FILESPY_DEVICE_OBJECT( DeviceObject )); DbgPrint(“\nInside
SpyPassThrough”);

IoCopyCurrentIrpStackLocationToNext( Irp );

IoSetCompletionRoutine( Irp,
MyCompletion,
NULL,
TRUE,
TRUE,
TRUE);

status = IoCallDriver(
((PFILESPY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)-AttachedToDev
iceO
bject, Irp );
DbgPrint(“\nBefore going out of SpyPassThrough”);
return status;
///////////

The exact situation :

1. Firstly the executing point was in spywrite
2. The i called the dispatch routine to pass on the irp to lower level
3. And in spydispatch
   The sequence of dbg points are
4. Debug pts of spywrite
5. DbgPrint(“\nInside SpyPassThrough”);
6. DbgPrint(“\nBefore going out of SpyPassThrough”); and then
   cmpFileWrite: error exiting -1073741528
   and again the control goes to SpyWrite…

Any suggestions are welcome. Please comment!!!

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear Mr Landefeld,
>
> While I was going through the Debugprints in DbgView I saw following
> line indicating some error:
>
> cmpFileWrite: error exiting -1073741528
>
> I have not put any sort of debug print of the above kind in my
program.
What
> does the above error implies ???
> and what does cmpFileWrite means ??
> Can this may be the reason behind the problem ???
> Regards,
> Rohit
>
> “Adam Landefeld” wrote in message
> news:xxxxx@ntfsd…
> Oh, you also should be checking for failure of ExAllocatePoolWithTag.
>
> What is the state of tempA in this code (ie, Length, MaximumLength)?
> Would your code break if the file name was too long and RtlCopy or
> RtlAppend truncated the name?
>
> Adam Landefeld
> --------------
> “This posting is provided “AS IS” with no warranties, and confers no
> rights.”
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
> Sent: Friday, April 30, 2004 6:22 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Passing IRP to lower level driver ??
>
> I have written this part of code in IRP_MJ_WRITE only Can
> IoCallDriver be a reson behind this problem???
>
> “Rohit Dhamija” wrote in message
> news:xxxxx@ntfsd…
> > I am getting the filename using::::
> > /////////////////////////////////////////////////////
> > UNICODE_STRING tempA;
> > irpStack = IoGetCurrentIrpStackLocation( Irp );
> > fileObject = irpStack->FileObject;
> > fileName = &fileObject->FileName;
> > devExt = DeviceObject->DeviceExtension;
> >
> > tempA.MaximumLength = fileName->MaximumLength +
> > devExt->DeviceName.MaximumLength + 2;
> > tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> > tempA.MaximumLength,‘2leD’);
> > RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> > RtlAppendUnicodeStringToString(&tempA, fileName);
> > /////////////////////////////////////////////////////
> >
> > But I don’t think it may be the cause of problem. Is it so ??? If
> > yes, please please help…
> >
> > “Ladislav Zezula” wrote in message
> news:xxxxx@ntfsd…
> > > How do you get the “tempA”, which you use for comparison ?
> > >
> > > Remember that the filename is valid inside IRP_MJ_CREATE only !!!
> > >
> > > L.
> > >
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@windows.microsoft.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> .

if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
|| (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
{

UNICODE_STRING.Buffer does not point to a zero-terminated string. Instead,
string length is stored in UNICODE_STRING.Length. You cannot compare
UNICODE_STRINGs with the wcsstr routine, until you are *absolutely* sure,
that you allocated extra space for zero-char (i.e.
UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may have
problems.

–htfv

Dear ALL,

Thanks for your reply. I have not done any for assigning the length of temp.
Is this the problem ??
What is the main use of assigning the length to tempA. I have just assigned
maximum length and the Buffer to temp as follows:::
////////////////
irpStack = IoGetCurrentIrpStackLocation( Irp );
fileObject = irpStack->FileObject;
fileName = &fileObject->FileName;
devExt = DeviceObject->DeviceExtension;

tempA.MaximumLength = fileName->MaximumLength +
devExt->DeviceName.MaximumLength + 2;
tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
tempA.MaximumLength,‘2leD’);
RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
RtlAppendUnicodeStringToString(&tempA, fileName);

_wcsupr(tempA.Buffer);
if(wcsstr(tempA.Buffer, L"\WINNT\)
{
DbgPrint(“\n#Test”);

ExFreePoolWithTag(fullFileNameWrt.Buffer,‘pmoC’);
ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
return SpyPassThrough( DeviceObject, Irp );
}
////////////////////

Please comment. (I think there lies the problem in assigning the lenght to
temp. )
Rohit
“Alexey Logachyov” wrote in message news:xxxxx@ntfsd…
> > .
> > if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
> > || (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
> > {
> >
>
> UNICODE_STRING.Buffer does not point to a zero-terminated string. Instead,
> string length is stored in UNICODE_STRING.Length. You cannot compare
> UNICODE_STRINGs with the wcsstr routine, until you are absolutely sure,
> that you allocated extra space for zero-char (i.e.
> UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
> UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may have
> problems.
>
> --htfv
>
>
>
>

The problem is that wcs family of string functions (wcsupr, wcsstr, etc.)
detect the end of string by a zero-character. But native strings
(UNICODE_STRINGs) are not zero-terminated (their lengths are defined by the
Length field). RtlCopyUnicodeString and RtlAppendUnicodeString DO NOT append
terminating zero-char. Consider the following example:

wchar_t *
_wcsupr(
wchar_t *wsrc
)
{
wchar_t *p;

for (p = wsrc; *p; p++)
{
if ((*p >= L’a’) && (*p <= L’z’))
{
*p = *p - (L’a’ - L’A’);
}
}

return wsrc;
}

Notice now, that for-cycle exits when *p == 0. In your case, this may not
happen in the right place because your string is NOT zero-terminated. This
may cause access violations and (what’s worse) stack damages, that cause all
kinds of weird behaviours.

Man, you should really spend some time studying all kinds of string
functions. Of course, I (or someonce else on the list) can write this piece
of code for you. But we cannot write every piece of your code.

–htfv

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear ALL,
>
> Thanks for your reply. I have not done any for assigning the length of
> temp.
> Is this the problem ??
> What is the main use of assigning the length to tempA. I have just
> assigned
> maximum length and the Buffer to temp as follows:::
> ////////////////
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
>
> _wcsupr(tempA.Buffer);
> if(wcsstr(tempA.Buffer, L"\WINNT\)
> {
> DbgPrint(“\n#Test”);
>
> ExFreePoolWithTag(fullFileNameWrt.Buffer,‘pmoC’);
> ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
> return SpyPassThrough( DeviceObject, Irp );
> }
> ////////////////////
>
> Please comment. (I think there lies the problem in assigning the lenght to
> temp. )
> Rohit
> “Alexey Logachyov” wrote in message news:xxxxx@ntfsd…
>> > .
>> > if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
>> > || (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
>> > {
>> >
>>
>> UNICODE_STRING.Buffer does not point to a zero-terminated string.
>> Instead,
>> string length is stored in UNICODE_STRING.Length. You cannot compare
>> UNICODE_STRINGs with the wcsstr routine, until you are absolutely sure,
>> that you allocated extra space for zero-char (i.e.
>> UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
>> UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may
>> have
>> problems.
>>
>> --htfv
>>
>>
>>
>>
>
>
>

FWIW, I use this little macro to ensure a null-terminated UNICODE_STRING:

#define TERMINATE_UNICODE_STRING(s) \
( ASSERT( (s)->MaximumLength > (s)->Length ), \
(s)->Buffer[(s)->Length / sizeof(WCHAR)] = 0 )

Then you can safely use wcs functions on tempA.Buffer after:

TERMINATE_UNICODE_STRING( &tempA );

This is all pretty basic stuff – more reading is probably in order.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
Sent: Monday, May 03, 2004 1:43 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Passing IRP to lower level driver ??

The problem is that wcs family of string functions (wcsupr, wcsstr, etc.)
detect the end of string by a zero-character. But native strings
(UNICODE_STRINGs) are not zero-terminated (their lengths are defined by the
Length field). RtlCopyUnicodeString and RtlAppendUnicodeString DO NOT append

terminating zero-char. Consider the following example:

wchar_t *
_wcsupr(
wchar_t *wsrc
)
{
wchar_t *p;

for (p = wsrc; *p; p++)
{
if ((*p >= L’a’) && (*p <= L’z’))
{
*p = *p - (L’a’ - L’A’);
}
}

return wsrc;
}

Notice now, that for-cycle exits when *p == 0. In your case, this may not
happen in the right place because your string is NOT zero-terminated. This
may cause access violations and (what’s worse) stack damages, that cause all

kinds of weird behaviours.

Man, you should really spend some time studying all kinds of string
functions. Of course, I (or someonce else on the list) can write this piece
of code for you. But we cannot write every piece of your code.

–htfv

“Rohit Dhamija” wrote in message
news:xxxxx@ntfsd…
> Dear ALL,
>
> Thanks for your reply. I have not done any for assigning the length of
> temp.
> Is this the problem ??
> What is the main use of assigning the length to tempA. I have just
> assigned
> maximum length and the Buffer to temp as follows:::
> ////////////////
> irpStack = IoGetCurrentIrpStackLocation( Irp );
> fileObject = irpStack->FileObject;
> fileName = &fileObject->FileName;
> devExt = DeviceObject->DeviceExtension;
>
> tempA.MaximumLength = fileName->MaximumLength +
> devExt->DeviceName.MaximumLength + 2;
> tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> tempA.MaximumLength,‘2leD’);
> RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> RtlAppendUnicodeStringToString(&tempA, fileName);
>
> _wcsupr(tempA.Buffer);
> if(wcsstr(tempA.Buffer, L"\WINNT\)
> {
> DbgPrint(“\n#Test”);
>
> ExFreePoolWithTag(fullFileNameWrt.Buffer,‘pmoC’);
> ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
> return SpyPassThrough( DeviceObject, Irp );
> }
> ////////////////////
>
> Please comment. (I think there lies the problem in assigning the lenght to
> temp. )
> Rohit
> “Alexey Logachyov” wrote in message news:xxxxx@ntfsd…
>> > .
>> > if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
>> > || (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
>> > {
>> >
>>
>> UNICODE_STRING.Buffer does not point to a zero-terminated string.
>> Instead,
>> string length is stored in UNICODE_STRING.Length. You cannot compare
>> UNICODE_STRINGs with the wcsstr routine, until you are absolutely sure,
>> that you allocated extra space for zero-char (i.e.
>> UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
>> UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may
>> have
>> problems.
>>
>> --htfv
>>
>>
>>
>>
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks for the reply and suggestion. I would definately go through the
string functions as told by you.
Regards,
Rohit

“Alexey Logachyov” wrote in message news:xxxxx@ntfsd…
> The problem is that wcs family of string functions (wcsupr, wcsstr, etc.)
> detect the end of string by a zero-character. But native strings
> (UNICODE_STRINGs) are not zero-terminated (their lengths are defined by
the
> Length field). RtlCopyUnicodeString and RtlAppendUnicodeString DO NOT
append
> terminating zero-char. Consider the following example:
>
> wchar_t *
> _wcsupr(
> wchar_t *wsrc
> )
> {
> wchar_t *p;
>
> for (p = wsrc; *p; p++)
> {
> if ((*p >= L’a’) && (*p <= L’z’))
> {
> *p = *p - (L’a’ - L’A’);
> }
> }
>
> return wsrc;
> }
>
> Notice now, that for-cycle exits when *p == 0. In your case, this may not
> happen in the right place because your string is NOT zero-terminated. This
> may cause access violations and (what’s worse) stack damages, that cause
all
> kinds of weird behaviours.
>
> Man, you should really spend some time studying all kinds of string
> functions. Of course, I (or someonce else on the list) can write this
piece
> of code for you. But we cannot write every piece of your code.
>
> --htfv
>
>
>
> “Rohit Dhamija” wrote in message
> news:xxxxx@ntfsd…
> > Dear ALL,
> >
> > Thanks for your reply. I have not done any for assigning the length of
> > temp.
> > Is this the problem ??
> > What is the main use of assigning the length to tempA. I have just
> > assigned
> > maximum length and the Buffer to temp as follows:::
> > ////////////////
> > irpStack = IoGetCurrentIrpStackLocation( Irp );
> > fileObject = irpStack->FileObject;
> > fileName = &fileObject->FileName;
> > devExt = DeviceObject->DeviceExtension;
> >
> > tempA.MaximumLength = fileName->MaximumLength +
> > devExt->DeviceName.MaximumLength + 2;
> > tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> > tempA.MaximumLength,‘2leD’);
> > RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> > RtlAppendUnicodeStringToString(&tempA, fileName);
> >
> > _wcsupr(tempA.Buffer);
> > if(wcsstr(tempA.Buffer, L"\WINNT\)
> > {
> > DbgPrint(“\n#Test”);
> >
> > ExFreePoolWithTag(fullFileNameWrt.Buffer,‘pmoC’);
> > ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
> > return SpyPassThrough( DeviceObject, Irp );
> > }
> > ////////////////////
> >
> > Please comment. (I think there lies the problem in assigning the lenght
to
> > temp. )
> > Rohit
> > “Alexey Logachyov” wrote in message
news:xxxxx@ntfsd…
> >> > .
> >> > if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
> >> > || (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
> >> > {
> >> >
> >>
> >> UNICODE_STRING.Buffer does not point to a zero-terminated string.
> >> Instead,
> >> string length is stored in UNICODE_STRING.Length. You cannot compare
> >> UNICODE_STRINGs with the wcsstr routine, until you are absolutely
sure,
> >> that you allocated extra space for zero-char (i.e.
> >> UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
> >> UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may
> >> have
> >> problems.
> >>
> >> --htfv
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>

Dear Mr Cross,
Thanks for the help, but there seems to be some small error, during
compiling .
Rohit

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> FWIW, I use this little macro to ensure a null-terminated UNICODE_STRING:
>
> #define TERMINATE_UNICODE_STRING(s) <br>> ( ASSERT( (s)->MaximumLength > (s)->Length ), <br>> (s)->Buffer[(s)->Length / sizeof(WCHAR)] = 0 )
>
>
> Then you can safely use wcs functions on tempA.Buffer after:
>
> TERMINATE_UNICODE_STRING( &tempA );
>
>
> This is all pretty basic stuff – more reading is probably in order.
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
> Sent: Monday, May 03, 2004 1:43 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Passing IRP to lower level driver ??
>
> The problem is that wcs family of string functions (wcsupr, wcsstr, etc.)
> detect the end of string by a zero-character. But native strings
> (UNICODE_STRINGs) are not zero-terminated (their lengths are defined by
the
> Length field). RtlCopyUnicodeString and RtlAppendUnicodeString DO NOT
append
>
> terminating zero-char. Consider the following example:
>
> wchar_t *
> _wcsupr(
> wchar_t *wsrc
> )
> {
> wchar_t *p;
>
> for (p = wsrc; *p; p++)
> {
> if ((*p >= L’a’) && (*p <= L’z’))
> {
> *p = *p - (L’a’ - L’A’);
> }
> }
>
> return wsrc;
> }
>
> Notice now, that for-cycle exits when *p == 0. In your case, this may not
> happen in the right place because your string is NOT zero-terminated. This
> may cause access violations and (what’s worse) stack damages, that cause
all
>
> kinds of weird behaviours.
>
> Man, you should really spend some time studying all kinds of string
> functions. Of course, I (or someonce else on the list) can write this
piece
> of code for you. But we cannot write every piece of your code.
>
> --htfv
>
>
>
> “Rohit Dhamija” wrote in message
> news:xxxxx@ntfsd…
> > Dear ALL,
> >
> > Thanks for your reply. I have not done any for assigning the length of
> > temp.
> > Is this the problem ??
> > What is the main use of assigning the length to tempA. I have just
> > assigned
> > maximum length and the Buffer to temp as follows:::
> > ////////////////
> > irpStack = IoGetCurrentIrpStackLocation( Irp );
> > fileObject = irpStack->FileObject;
> > fileName = &fileObject->FileName;
> > devExt = DeviceObject->DeviceExtension;
> >
> > tempA.MaximumLength = fileName->MaximumLength +
> > devExt->DeviceName.MaximumLength + 2;
> > tempA.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> > tempA.MaximumLength,‘2leD’);
> > RtlCopyUnicodeString(&tempA,&devExt->DeviceName);
> > RtlAppendUnicodeStringToString(&tempA, fileName);
> >
> > _wcsupr(tempA.Buffer);
> > if(wcsstr(tempA.Buffer, L"\WINNT\)
> > {
> > DbgPrint(“\n#Test”);
> >
> > ExFreePoolWithTag(fullFileNameWrt.Buffer,‘pmoC’);
> > ExFreePoolWithTag(tempA.Buffer,‘pmoC’);
> > return SpyPassThrough( DeviceObject, Irp );
> > }
> > ////////////////////
> >
> > Please comment. (I think there lies the problem in assigning the lenght
to
> > temp. )
> > Rohit
> > “Alexey Logachyov” wrote in message
news:xxxxx@ntfsd…
> >> > .
> >> > if((wcsstr(tempA.Buffer, L"\logfile")!=NULL)
> >> > || (wcsstr(tempA.Buffer, L"\Pagefile.sys")!=NULL))
> >> > {
> >> >
> >>
> >> UNICODE_STRING.Buffer does not point to a zero-terminated string.
> >> Instead,
> >> string length is stored in UNICODE_STRING.Length. You cannot compare
> >> UNICODE_STRINGs with the wcsstr routine, until you are absolutely
sure,
> >> that you allocated extra space for zero-char (i.e.
> >> UNICODE_STRING.MaximumLength is at least sizeof(WCHAR) bigger than
> >> UNICODE_STRING.Length) and actualy initialized it. Otherwise, you may
> >> have
> >> problems.
> >>
> >> --htfv
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

> Thanks for the help, but there seems to be some small error, during

compiling .

Don’t take it personally, but if you want to go to write
a filter driver, you should be able to solve all compile-time
errors. You will encounter much more problems, which will not
be indicated by the compiler, and may take several days to find
them.

Maybe Ken’s code (and everyone else’s code) contains
a syntax mistakes. You have to take it as a hint how to solve
the problem, not to be copy-and-pasted into your driver’s
source code.

L.

Actually i am newbie in this field and i need to understand a lot at my
side…
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > Thanks for the help, but there seems to be some small error, during
> > compiling .
>
> Don’t take it personally, but if you want to go to write
> a filter driver, you should be able to solve all compile-time
> errors. You will encounter much more problems, which will not
> be indicated by the compiler, and may take several days to find
> them.
>
> Maybe Ken’s code (and everyone else’s code) contains
> a syntax mistakes. You have to take it as a hint how to solve
> the problem, not to be copy-and-pasted into your driver’s
> source code.
>
> L.
>
>