hi!
i tried that but its still not working. i’m attaching code of dispatch
routine for IRP_MJ_CREATE. kindly look at it to see where i’m wrong.
in this routine i’m checking whether the delete flag is set for the file
and if it is set displaying the name of file in debugger.
thanks for ur help.
regards
Balvinder
DBGSTATIC
NTSTATUS
UniCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
KIRQL oldIrql;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
PIO_SECURITY_CONTEXT pSecurityContext;
ACCESS_MASK DesiredAccess;
UNICODE_STRING UnicodeFileName;
ANSI_STRING AnsiFileName;
PVOID buffer;
POBJECT_NAME_INFORMATION objectNameInfo;
WCHAR driveName[256];
ULONG returnLength;
UNICODE_STRING volumeName;
PVOID volBuffer;
UNICODE_STRING volume1Name;
PVOID vol1Buffer;
UNICODE_STRING volume2Name;
PVOID vol2Buffer;
ULONG lookupFlags;
PFILE_OBJECT pFileObject;
PUNICODE_STRING pFileName;
PAGED_CODE();
if (DeviceObject == gControlDeviceObject) {
//
// A CREATE request is being made on our gControlDeviceObject
//
ExAcquireSpinLock( &gControlDeviceStateLock, &oldIrql );
if (gControlDeviceState != CLOSED) {
status = STATUS_DEVICE_ALREADY_ATTACHED;
} else {
gControlDeviceState = OPENED;
}
ExReleaseSpinLock( &gControlDeviceStateLock, oldIrql );
//
// Since this is our gControlDeviceObject, we complete the
// irp here.
//
Irp->IoStatus.Status = status;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return status;
}
//
// Get a pointer to the current stack location in the IRP. This is
where
// the function codes and parameters are stored.
//
irpSp = IoGetCurrentIrpStackLocation( Irp );
pFileObject = irpSp->FileObject;
pFileName = &pFileObject->FileName;
if(pFileName->Length == 0)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = FILE_OPENED;
//
IoCompleteRequest(Irp,IO_NO_INCREMENT);
//
return STATUS_SUCCESS;
}
pSecurityContext = irpSp->Parameters.Create.SecurityContext;
DesiredAccess = pSecurityContext->DesiredAccess;
vol1Buffer = ExAllocatePool(NonPagedPool,512);
volume1Name.Length = 0;
volume1Name.MaximumLength = 512;
volume1Name.Buffer = vol1Buffer;
RtlAppendUnicodeToString(&volume1Name, L"\Device\HarddiskVolume1");
vol2Buffer = ExAllocatePool(NonPagedPool,512);
volume2Name.Length = 0;
volume2Name.MaximumLength = 512;
volume2Name.Buffer = vol2Buffer;
RtlAppendUnicodeToString(&volume2Name, L"\Device\HarddiskVolume2");
deviceObject = irpSp->FileObject->DeviceObject;
objectNameInfo = (POBJECT_NAME_INFORMATION)driveName;
status = ObQueryNameString(deviceObject,
objectNameInfo,
sizeof(driveName),
&returnLength);
volBuffer = ExAllocatePool(NonPagedPool,512);
volumeName.Length = 0;
volumeName.MaximumLength = 512;
volumeName.Buffer = volBuffer;
if(RtlCompareUnicodeString(&objectNameInfo->Name,&volume1Name,FALSE))
RtlAppendUnicodeToString(&volumeName, L"D:“);
if(RtlCompareUnicodeString(&objectNameInfo->Name,&volume2Name,FALSE))
RtlAppendUnicodeToString(&volumeName, L"C:”);
ExFreePool(vol1Buffer);
ExFreePool(vol2Buffer);
buffer = ExAllocatePool(NonPagedPool,gMaxNamesToAllocate);
RtlInitUnicodeString(&UnicodeFileName,NULL);
UnicodeFileName.Buffer = buffer;
UnicodeFileName.MaximumLength = (unsigned short)gMaxNamesToAllocate;
UnicodeFileName.Length = 0;
RtlAppendUnicodeToString(&UnicodeFileName, volumeName.Buffer);
RtlAppendUnicodeToString(&UnicodeFileName,
irpSp->FileObject->FileName.Buffer);
ExFreePool(volBuffer);
RtlUnicodeStringToAnsiString(&AnsiFileName,&UnicodeFileName,TRUE);
AnsiFileName.Buffer[AnsiFileName.Length] = ‘\0’;
ExFreePool(buffer);
if(DesiredAccess & DELETE)
{
if(ApplyFilters(AnsiFileName.Buffer))
{
DbgPrint(“\n--------------------------------”);
DbgPrint(“\nInside ApplyFilters of sfcreate”);
DbgPrint(“\n AnsiFileName = %s”,AnsiFileName.Buffer);
DbgPrint(“\nthis file is protected”);
DbgPrint(“\n--------------------------------”);
RtlFreeAnsiString(&AnsiFileName);
return UniPassThrough( DeviceObject, Irp );
}
else
{
DbgPrint(“\nif ApplyFilters false”);
RtlFreeAnsiString(&AnsiFileName);
return UniPassThrough( DeviceObject, Irp );
}
}
else
{
//
// Get a pointer to this driver’s device extension for the specified
// device.
//
deviceExtension = DeviceObject->DeviceExtension;
//
// If debugging is enabled, do the processing required to see the
packet
// upon its completion. Otherwise, let the request go w/no further
// processing.
//
if (SfDebug) {
PIO_STACK_LOCATION nextIrpSp;
//
// Simply copy this driver stack location contents to the next
driver’s
// stack.
//
nextIrpSp = IoGetNextIrpStackLocation( Irp );
RtlMoveMemory( nextIrpSp, irpSp, sizeof( IO_STACK_LOCATION ) );
IoSetCompletionRoutine(
Irp,
UniCreateCompletion,
NULL,
TRUE,
FALSE,
FALSE
);
}
else {
Irp->CurrentLocation++;
Irp->Tail.Overlay.CurrentStackLocation++;
}
//
// Now call the appropriate file system driver with the request.
//
return IoCallDriver( deviceExtension->FileSystemDeviceObject, Irp );
}
}