Thanks Ryan and Petr ,
I didn’t checke the access and sharing flag during the InternalReadFile. And
my
filter has to hook redirectory because the network activities shall be
inpected.
For the login problem, if skipping files under system32 directory , the
logon is
ok. I don’t know the reason, but it seems work, but I don’t know how to get
the system directory in kernel mode at this time, can it be got from
registry or
by some api?
Regards,
Xinwei
“Nick Ryan” wrote:xxxxx@ntfsd…
>
> Can you post your InternalReadFile function?
>
> You’re not messing with the desired access or sharing flags on the
> create are you?
>
> SXW wrote:
>
> > Thanks for Nick and Alexei , your answers are greatly helpful for me.
> >
> > But for the logon problem, I’d logged all creations into a file and
there’s
> > no STATUS_REPARSE
> > returned and the IoCancelFileOpen is never called.
> >
> > The scenario is:
> >
> > if( create file successfully)
> > IoQueryFileInformation and InternalReadFile are alwasy successful
> >
> > but there are STATUS_SHARING_VIOLATION or STATUS_NO_SUCH_LOGON_SESSION
> > logged for some creationa and the logon always fail.
> >
> > Are there other reasons could cause this problem?
> >
> > Best regards,
> >
> > Xinwei
> >
> > “Nick Ryan” wrote to message:xxxxx@ntfsd…
> >
> >>Three things that jump out at me:
> >>
> >>#1. Biggest issue - you shouldn’t be using IoCancelFileOpen. It’s
> >>generally agreed that this API is dangerous to use and should be
> >>deprecated by Microsoft. You should open the file using a temporary file
> >>object (difficult but gives you more control) or with ZwCreateFile
> >
> > (easier).
> >
> >>#2. You do realize that the lower drive can return STATUS_REPARSE? The
> >>NT_SUCCESS macro returns TRUE for this status code, but the file is not
> >>actually opened, so filter drivers should treat this as an error
> >>condition. Explicitly test for STATUS_REPARSE.
> >>
> >>#3. You are completing the IRP if you decide to cancel the open, aren’t
> >
> > you?
> >
> >>SXW wrote:
> >>
> >>
> >>>Thank you so much, Ryan.
> >>>
> >>>The InternalReadFile routine is copied from my codes.
> >>>
> >>>My filter is loaded at system start up, and will hook all file
creations
> >
> > for
> >
> >>>all volumes.
> >>>
> >>>And in the IRP_MJ_CREATE handle, my codes do as the following, after
> >>>IRP_CREATE is returned from lower driver, just check the
> >>>filestandardinformation and read the file content. If the read
operation
> >
> > is
> >
> >>>skipped, I can logon to the system, otherwise the system will report
> >
> > error.
> >
> >>>Codes in handler of IRP_MJ_CREATE:
> >>>
> >>>SaveFileObject = IrpStack->FileObject;
> >>>
> >>>// send IRP_MJ_CREATE to lower driver and get the result
> >>>status = IssueCreateIrp(DeviceObject, IRP);
> >>>
> >>>if( NT_SUCCESS(status) ){
> >>> //check the file’s content , and fill myfcb
> >>> status = CheckFilePostCreate(DeviceObject, SafeFileObject, &MyFcb);
> >>>
> >>> if( !NT_SUCCESS(status)){
> >>> IoCancelFileOpen(DeviceObject, SaveFileObject );
> >>> RC = Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
> >>> Irp->IoStatus.Information = 0;
> >>> }
> >>>}
> >>>return status;
> >>>
> >>>NTSTATUS
> >>>CheckFilePostCreate(
> >>> DEVICEOBJECT DeviceObject,
> >>> PFILE_OBJECT SafeFileObject,
> >>> PMYFCB pMyFcb)
> >>>{
> >>> // get file info
> >>> status = IoQueryFileInformation(FileObject,
> >>> FileStandardInformation,
> >>> sizeof( fileinfo ),
> >>> &fileinfo,
> >>> &ReturnedLength);
> >>>
> >>> if( !NT_SUCCESS(status))
> >>> return status;
> >>>
> >>> // copy some filestandardinfo into myFCB here
> >>> …
> >>> //Check: is file a directory?
> >>> …
> >>>
> >>> // try to read my filehead , only for files
> >>> if( fileinfo.EndOfFile.QuadPart > SIZE_FILE_HEAD){
> >>> readoffset.QuadPart = 0;
> >>>
> >>> status = InternalReadFile( DeviceObject,
> >>> FileObject,
> >>> &FileHead,
> >>> SIZE_FILE_HEAD,
> >>> &readoffset);
> >>>
> >>> if(NT_SUCCESS( status ) ){
> >>> //copy data from FileHead into myFCB
> >>> …
> >>> }
> >>> }
> >>>
> >>> return status;
> >>>}
> >>>
> >>>
> >>>“Nick Ryan” wrote :xxxxx@ntfsd…
> >>>
> >>>
> >>>>No, a read won’t increase the reference on a file object. There’s
> >>>>nothing wrong with what you are trying to do that I can see. Can you
> >>>>post your code?
> >>>>
> >>>>SXW wrote:
> >>>>
> >>>>
> >>>>
> >>>>>More info about this error:
> >>>>>
> >>>>>Some creations will return STATUS_SHARING_VIOLATION, and there are
also
> >>>
> >>>some
> >>>
> >>>
> >>>>>creations failed with STATUS_NO_SUCH_LOGON_SESSION error.
> >>>>>
> >>>>>Does the internal read operation hold reference of the file object?
> >>>>>
> >>>>>Thanks in advanced.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Hi,
> >>>>>>
> >>>>>>My filter will read file content during the the MJ_CREATE, only when
> >>>
> >>>this
> >>>
> >>>
> >>>>>>creation return successfully from lower driver. After the
iocalldriver
> >>>>>>returned,sending a new IRP built with IoBuildSynchronousFsdRequest
> >
> > will
> >
> >>>>>>cause the winlogon report the domain(actually the local machine)
can’t
> >>>
> >>>be
> >>>
> >>>
> >>>>>>accessed. If the internal routine InternalReadFile is simply skipped
,
> >>>>>>everything is ok.
> >>>>>>
> >>>>>>What’s wrong with the winlogon? At this time, my filter hooks all
> >
> > files’
> >
> >>>>>>creations.
> >>>>>>
> >>>>>>Appreciate for any advise,
> >>>>>>
> >>>>>>Xinwei
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>NTSTATUS
> >>>>>>InternalReadFile(
> >>>>>>IN PDEVICE_OBJECT DeviceObject,
> >>>>>>IN PFILE_OBJECT FileObject,
> >>>>>>OUT PVOID Buffer,
> >>>>>>IN ULONG Length,
> >>>>>>IN PLARGE_INTEGER StartingOffset
> >>>>>>)
> >>>>>>{
> >>>>>>PIRP irpRead;
> >>>>>>KEVENT syncevent;
> >>>>>>NTSTATUS status;
> >>>>>>IO_STATUS_BLOCK iostatus;
> >>>>>>PIO_STACK_LOCATION pIrpStackNext ;
> >>>>>>PDEVICE_OBJECT pLowerDriver;
> >>>>>>
> >>>>>>pLowerDriver =
> >>
>
>>>>>((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject
;
> >>>>>
> >>>>>>RtlZeroMemory( &iostatus, sizeof( iostatus ) );
> >>>>>>
> >>>>>>KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );
> >>>>>>
> >>>>>>irpRead = IoBuildSynchronousFsdRequest(
> >>>>>> IRP_MJ_READ,
> >>>>>> pLowerDriver,
> >>>>>> Buffer ,
> >>>>>> Length ,
> >>>>>> StartingOffset ,
> >>>>>> &syncevent,
> >>>>>> &iostatus);
> >>>>>>
> >>>>>>if( irpRead ){
> >>>>>>
> >>>>>> pIrpStackNext = IoGetNextIrpStackLocation( irpRead );
> >>>>>>
> >>>>>> pIrpStackNext->FileObject = FileObject;
> >>>>>>
> >>>>>> status = IoCallDriver( pLowerDriver, irpRead );
> >>>>>>
> >>>>>> if( STATUS_PENDING == status ){
> >>>>>>
> >>>>>>KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
> >>>>>> status = iostatus.Status;
> >>>>>> }
> >>>>>>}else{
> >>>>>> status = STATUS_INSUFFICIENT_RESOURCES;
> >>>>>>}
> >>>>>>
> >>>>>>return status ;
> >>>>>>}
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>—
> >>>>>You are currently subscribed to ntfsd as: xxxxx@nryan.com
> >>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>>>>
> >>>>
> >>>>–
> >>>>- Nick Ryan (MVP for DDK)
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>—
> >>>You are currently subscribed to ntfsd as: xxxxx@nryan.com
> >>>To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>>
> >>
> >>–
> >>- Nick Ryan (MVP for DDK)
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> –
> - Nick Ryan (MVP for DDK)
>
>
>
>