Send IRP_MJ_CREATE to fsd

hey , im trying to avoid using NtCreateFile and roll my own IRP .

NTSTATUS NtfsWriteCompletion(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) 
{

if(Irp->PendingReturned)
	KeSetEvent((PKEVENT)Context, IO_NO_INCREMENT,FALSE);

PFILE_OBJECT FileObj = Irp->Tail.Overlay.OriginalFileObject;
if(FileObject)
	ObDereferenceObject(FileObject);

IoFreeIrp(Irp);

return STATUS_MORE_PROCESSING_REQUIRED; 
}


bool NtfsWrite()
{
...

UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\HarddiskVolume1");

status = IoGetDeviceObjectPointer(&DeviceName, FILE_WRITE_DATA | FILE_SHARE_WRITE, &FileObject, &DeviceObject);

...
// error handling 
...

Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);

...
// error handling 
...

PIO_STACK_LOCATION IoStack = IoGetNextIrpStackLocation(Irp);
IoStack->MajorFunction = IRP_MJ_CREATE; 
IoStack->FileObject = FileObject;

IoStack->Parameters.Create.Optionns  = FILE_WRITE_DATA;
IoStack->Parameters.Create.FileAttributes  = FILE_ATTRIBUTE_NORMAL;
IoStack->Parameters.Create.ShareAccess  = 0;
IoStack->Parameters.Create.EaLength = 0;

RtlInitUnicodeString(&FileObject->FileName, TARGET_FILE);

KeInitializeEvent(&Event, NotificationEvent, FALSE);

IoSetCompletionRoutine(Irp,NtfsWriteCompletion,&Event,TRUE,TRUE,TRUE);

status = IofCallDriver(DeviceObject, Irp);
if(status == STATUS_PENDING)
{
KeWaitForSingleObject(&Event,Executive,KernelMode, FALSE, NULL);
status = Irp.IoStatus.Status;
}

return true;
}

The irp makes it to the fltmgr and eventually the first pre create minifilter callback , then blue screens with system service exception
surely I did something really bad here ?

I am not sure why you get a BSOD by looking at provided code, but it seems to me that you are sending the IRP down to the "\Device\HarddiskVolume1" , a mass storage device , which has no concepts of the files. Just sectors and sizes. SO if you want to access the file bypassing the FS driver, you would need to manually parse the FS, find the location of the file on disk and access those sectors.

I want to send this request to the fsd , not bypass it. The goal here is to avoid using ZwCreateFile / ZwWriteFile

Hmmm… it is almost always unnecessary (and a mistake) to try to “roll your own” IRP. I did this out of necessity many years ago (before Filter Manager) and it was a very major undertaking.

Why not use one of the many alternatives?