Question: Q34 Opening files during IRP_MJ_CREATE processing

JA_rgen_Falk · October 3, 2006, 11:43am

Hi,

I have to open a file during IRP_MJ_CREATE and I am following the instructions of Q34 describing the technique with a “shadow” device object. There is mentioned that for the file name “being opened, you construct that by using both the name you gave MyFilterShadowDeviceObject and the name that is in the FileObject of the I/O stack Location (IoGetCurrentIrpStackLocation(Irp)->FileObject)”. How must the file name look like in concrete? Do anybody have a code example to this topic?

Thanks in advance. Jürgen.

OSR_Community_User · October 3, 2006, 12:09pm

If the name of your shadow device is “\Device\MyShadowDevice” and the
name of the file being opened is “\Foo\Bar\Fred” then the name that you
actually open is “\Device\MyShadowDevice\Foo\Bar\Fred”.

Keep in mind that isn’t the ONLY possible name, but it is certainly the
most straight-forward implementation model. Of course, none of this is
necessary if you are using a mini-filter.

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

JA_rgen_Falk · October 3, 2006, 12:43pm

Thanks for your quick reply.
And if the file to be opened is a full path like “c:\temp\test.txt” or “n:\temp\test.txt” where n is any logical drive, the name I actually open is then “\Device\MyShadowDevice\c:\temp\test.txt” resp. “\Device\MyShadowDevice\n:\temp\test.txt”? (similar to \DosDevices\c:\temp\test.txt"?) Will a following call to ZwCreateFile with this name, containing my shadow device, succeed?

OSR_Community_User · October 3, 2006, 1:16pm

For local drives, names do not normally include a drive letter (network
drives sometimes do, however.) For example, a drive letter such as “c:”
will be a symbolic link (\Device\HarddiskVolume24 for example) and it is
THIS that you are replacing with the name of your shadow device.

Thus, the original name (after the symlinks are all resolved) is
\Device\HarddiskVolume3\temp\test.txt and the name that is in the File
object is \temp\test.txt. Thus, the name you use for the shadow is
\Device\Shadow\temp\test.txt.

If your device is \Device\Shadow, the file object you receive will have
\temp\test.txt as its name. If you decide to change it so you have
\Device\Shadow\c:\temp\test.txt then the name that shows up in your
driver (in the file object) will be \c:\temp\test.txt.

I suggested the simplest possible algorithm here but you can transform
the name however you want - you just have to know how to process it when
it arrives at your shadow device.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com