I am a novice in drivers. i need some advice.
if i take filespy as a sample and try o build something like filemon…i
need to implement filters.
so the user mode app will send me a list of processes (say) and i will
either log their irps or i wont.
what i am apprehensive is abt the fact that such filtering code will execute
everytime i get an IRP! SO it will slow down the system. are there some
rules of implementing such filters so that that have minimum performance
impact.
“what i am apprehensive is abt the fact that such filtering code will execute everytime i get an IRP! SO it will slow down the system.”
It’s not like it’s going to bog-down the system. Think of an antivirus filter vs. a loging filter in filemon or filespy. Filters in AV products do 10 times the work that a simple passthru filter like filespy does (not that it’s really simple or is only a passthru, pardon me). You should keep in mind modern processors preform millions of operations per second. Simply passing something threw a filter isn’t that heavy of a process; I’ve never investigated the number of instructions it takes, but I would make a wild guess of 100 or less (probably a total of 50 or less). Comparing that to the number of instructions that can be executed per second - the overhead shouldn’t be noticed at all in a well written filter.
m
matt,
I have a few things to say/suggest/ask here.
“Filters in AV products do 10 times the work that a simple passthru filter
like filespy does”
Yes that is correct, however, I don’t think AV products do it for every IRP.
Though I have never seen any antivirus code myself, and am current;y trying
to make an amaeture scanner myself to increase my knowledge. Also I am sure
they maintain states of files which help them to reduce redundant scanning.
“the overhead shouldn’t be noticed at all in a well written filter.”
yes, this is my question, and probably also that of the original
poster…what is a well written filter. Lets take the example of filemon
filters that show logs of certain processes only. It is must certainly based
on string comparison approaches ( guessing). But string comparison can be
done so many ways that the performance and number of instructions needed
might vary. So MY question is, are there any intelligent ways of doing these
things (hope the original poster agrees with me).
“however, I don’t think AV products do it for every IRP.”
Perhaps I wasn’t clear, I wasn’t speaking to the point that AVs ‘check out’ every IRP, I was simply making the point that once the filter attaches to the stack, all IRP’s pass threw it, and a lot are blocked until the file in question is deemed safe. Contrast this to a logging utility; most AVs are not too terribly slow - and thier doing a lot more crap… These logging tools don’t block like how AV’s do…
“Also I am sure they maintain states of files which help them to reduce redundant scanning.”
Very true, some use a hash list or whatever - In this thing I’m working on I use stream and stream handle contexts - the file is initially checked and ignored until it is changed or completly closed and re-opened.
“what is a well written filter”
uhhh, a filter that was well written… 
"filters that show logs of certain processes only. It is must certainly based on string comparison approaches ( guessing). But string comparison can be done so many ways that the performance and number of instructions needed might vary. So MY question is, are there any intelligent ways of doing these things (hope the original poster agrees with me). "
Well, yeah, I assume the usermode portion where you added the filters would then send the PID to the driver and a compare would take place based the results of IoGetRequestorProcessID. Comparing two values isn’t going to kill preformance; here we go back to well written - choosing the fastest compare technique to achive the task at hand.
m.