Hi,
I am writing a file system filter driver (and am very new to it) which has
similar functionality to a virus scanner i.e. when a file is opened, read
contents of file, check for existence of something, if it exists deny the
open otherwise allow the open. I have run into a problem reading the
actual contents of the file. After researching and reading many previous
posts, the way I am doing this is :
- During dispatch routing for IRP_MJ_CREATE, allow create to be passed
down to lower drivers - Once the IRP returns from its completion routine, if success, get basic
information from file (by creating IRP_MJ_QUERY_INFORMATION) - If file has changed since the last time I saw it then get standard
information (file size) for the file. - Split the file size into manageable chunks and read these from disk
using the following :
KeInitializeEvent(&Event, SynchronizationEvent, FALSE);
irp = IoBuildSynchronousRsdRequest(IRP_MJ_READ, Device, buffer, length,
offest, &Event, &iosb);
if (!irp) {
return STATUS_INSUFFICIENT_RESOURCES;
}
nextirpsp = IoGetNextIrpStackLocation(irp);
nextirpsp->FileObject = FileObject;
status = IoCallDriver(Device, irp);
if (status == STATUS_PENDING)
KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
return iosb.Status;
The first three steps are fine. The problem is in the code used for
reading the file. It seems to read some files and then I receive a bug
check 0x24 or 0xA.
Am I doing something fundamentally wrong? If so, does anyone have any
pointers/comments?
Thanks in advance.
Colin