Read file in Another Volume in Post Create

maysam_firozi · December 22, 2014, 11:54am

hi

my minifilter register post create and in that i want to check if any process access to my file and read process file , file and process maybe should be on different volumes

for example file is on d:\myfile.jpg and process is c:\myproc.exe

because irp_mj_create for d:\myfile.jpg access give to me volume instance of volume d: how can i read file on volume c: ( or any other volume ) ? using zwcreatefile for c:\myproc.exe is reentering and loop and result is UNEXPECTED_KERNEL_MODE_TRAP

how i check if it second rip is called for kernel and pass it ?

Fernando_Roberto · December 22, 2014, 12:06pm

Hi Maysam,

Using ZwCreateFile makes I/O Manager to create a new IRP and send it to the top of the device stack, passing through your filter again. You’re probably getting out of stack and then seeing the crash.
Try using FltCreateFile, which gives you the opportunity to create the IRP and send it from your instance to down the stack, preventing the IRP from going to the top of the device stack.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

maysam_firozi · December 22, 2014, 12:57pm

thanks
FltCreateFile need volume instance so If this parameter is *NULL*, the
request is sent to the device object at the top of the file system driver
stack for the volume. If it is non-*NULL*, the request is sent only to
minifilter driver instances that are attached below the specified instance.

and i don’t have second volume instance my irp is for file access and
process is on another volume

befor asking i read msdn and +20 posts in this site

Fernando_Roberto · December 22, 2014, 1:20pm

Don’t your filter attach to the C volume?

If it does attach to C volume, you must store the volume pointer somewhere during OnInstanceSetup callback so that you can you it later.

If it doesn’t attach to C volume, so you’d not see any recursive call on using ZwCreateFile, that’s why I suspect you are attaching to all your volumes.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

maysam_firozi · December 22, 2014, 1:49pm

thanks
i attach to all volumes so i must check process file is on which volume
and use appropriate volume instance object with FltCreateFile ,
how correctly detect volume and map to its volume instance object?

Fernando_Roberto · December 22, 2014, 1:58pm

First you use the FltGetVolumeFromName to get the volume pointer, then you can use FltGetVolumeInstanceFromName to get your instance on that volume.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br