recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE in FSD?!

recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE in
FSD(ex.,fastfat)?!
I have observed a very very strange behavior in my system(Win2K
professional SP2,FASTFAT):
a recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE!
This is a very strange thing.In the past,I never observed it in the same
system.
Maybe I have installed some software in my system,it make this strange
thing?
But,
I observed it in my filter.And I check the device stack(the tools,Device
Tree by OSR):
the attached device of the VDO by FASTFAT is be my VDO by my filter.
That’s to say,recursive IRP_MJ_CREATE is by the FASTFAT!
Why?It’s crazy!
And I have check the code of the sample fastfat,no this behavior.

I uninstall my filter,and just observe it by filemon.the same behavior:
34 2:11:21 Explorer.EXE:652 IRP_MJ_CREATE D:\chess-move.exe SUCCESS
Options: Open Access: Execute
35 2:11:21 Explorer.EXE:652 IRP_MJ_CREATE D:\CHESS-MOVE.EXE SUCCESS
Options: Open Access: All
36 2:11:21 Explorer.EXE:652 FASTIO_QUERY_STANDARD_INFO D:\CHESS-MOVE.EXE
SUCCESS Length: 61440
37 2:11:21 Explorer.EXE:652 IRP_MJ_CLEANUP D:\CHESS-MOVE.EXE SUCCESS
38 2:11:21 Explorer.EXE:652 IRP_MJ_CLOSE D:\CHESS-MOVE.EXE SUCCESS
39 2:11:21 Explorer.EXE:652 IRP_MJ_CLEANUP D:\chess-move.exe SUCCESS
40 2:11:21 Explorer.EXE:652 IRP_MJ_CLOSE D:\chess-move.exe SUCCESS

and you can find a interesting thing:
the recursive IRP with the file name in filemon is the uppercase.
my filename is lowercase: chess-move.exe(a funny game software^_^),so the
original IRP is with the filename D:\chess-move.exe.
But,the recursive IRP is with the filename: D:\CHESS-MOVE.EXE

Anybody can clarify it?Thanks~~~
Maybe is the virus?But,how explain it:
the attached device of the VDO by FASTFAT is be my VDO by my filter,
and in my filter,I can observe it in my filter VDO.


ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/cn

At first,my system should be win2K sp4.

And,In this strange environment,I have observed other things:
the FileName for the redirector:
In the past,I think the filename for the redirector is the format:
I. If I have mapped network driver,then
;DriverLetter:SessionID\Computer\ShareName.…
for example, ;H:0\MyComputer\MyShare.…
II. If I haven’t mapped network driver,then
\Computer\ShareName.…
for example, \MyComputer\MyShare

But in this strange environment,I find the filename is following format
whether if I
have mapped network driver:
0:\MyComputer\MyShar…

Why?Any body can clarify it?thank you very muck.It’s too strange for me!
ah,In my previous post,the recursive IRP_CREATE will occur in local FSD,and
will occur
in redirector too.

-----------original message --------------------------------------------
Subject: recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE
in FSD?!
From: “Xiong ZiJan”
Date: Tue, 18 Oct 2005 18:21:49 +0000
X-Message-Number: 20

recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE in
FSD(ex.,fastfat)?!
I have observed a very very strange behavior in my system(Win2K
professional SP2,FASTFAT):
a recursive IRP_MJ_CREATE followed a IRP_MJ_CREATE with FILE_EXECUTE!
This is a very strange thing.In the past,I never observed it in the same
system.
Maybe I have installed some software in my system,it make this strange
thing?
But,
I observed it in my filter.And I check the device stack(the tools,Device
Tree by OSR):
the attached device of the VDO by FASTFAT is be my VDO by my filter.
That’s to say,recursive IRP_MJ_CREATE is by the FASTFAT!
Why?It’s crazy!
And I have check the code of the sample fastfat,no this behavior.

I uninstall my filter,and just observe it by filemon.the same behavior:
34 2:11:21 Explorer.EXE:652 IRP_MJ_CREATE D:\chess-move.exe SUCCESS
Options: Open Access: Execute
35 2:11:21 Explorer.EXE:652 IRP_MJ_CREATE D:\CHESS-MOVE.EXE SUCCESS
Options: Open Access: All
36 2:11:21 Explorer.EXE:652 FASTIO_QUERY_STANDARD_INFO D:\CHESS-MOVE.EXE
SUCCESS Length: 61440
37 2:11:21 Explorer.EXE:652 IRP_MJ_CLEANUP D:\CHESS-MOVE.EXE SUCCESS
38 2:11:21 Explorer.EXE:652 IRP_MJ_CLOSE D:\CHESS-MOVE.EXE SUCCESS
39 2:11:21 Explorer.EXE:652 IRP_MJ_CLEANUP D:\chess-move.exe SUCCESS
40 2:11:21 Explorer.EXE:652 IRP_MJ_CLOSE D:\chess-move.exe SUCCESS

and you can find a interesting thing:
the recursive IRP with the file name in filemon is the uppercase.
my filename is lowercase: chess-move.exe(a funny game software^_^),so the
original IRP is with the filename D:\chess-move.exe.
But,the recursive IRP is with the filename: D:\CHESS-MOVE.EXE

Anybody can clarify it?Thanks~~~
Maybe is the virus?But,how explain it:
the attached device of the VDO by FASTFAT is be my VDO by my filter,
and in my filter,I can observe it in my filter VDO.
----------------------------------------------------------------------------

_________________________________________________________________
ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/cn