Hi,
I am working on a scanner minifilter (based on microsoft sample). In the default implementation of Pre-Write callback the notification structure contains 1 KB size for content buffer, which is then sent (fltsendmessage) to user mode application.
I need to access the data for a file before it is being created(hence using pre-write callback). I have noticed that the scanner receives chunks in size of max 65K bytes along with file position. I have tried the following to send this whole buffer.
typedef struct _SCANNER_NOTIFICATION {
first few members here …
INT iLengthContent;
CHAR szContent[1];
} SCANNER_NOTIFICATION;
iNotificationNewSize = FIELD_OFFSET(SCANNER_NOTIFICATION, szContent[iCurBufferSize]);
notification = ExAllocatePoolWithTag( NonPagedPool,iNotificationNewSize,‘nacS’ );
Then used RtlCopyMemory() to copy the contents into notification->szContent.
Everything is fine so far but in user mode here is the structure which I retrieve
typedef struct _SCANNER_MESSAGE {
FILTER_MESSAGE_HEADER MessageHeader;
SCANNER_NOTIFICATION Notification;
OVERLAPPED Ovlp;
} SCANNER_MESSAGE, *PSCANNER_MESSAGE;
The Notification object in this scanner_message contains only first 4 bytes for its szContent member(even though full buffer was copied into it in the scanner.sys).
The reason might be that during marshaling only sizeof(SCANNER_NOTIFICATION) is used and hence no data is received in the user mode or may be I am doing it all wrong.
Is there any other synchronous method available to send large chunks of data to user mode?
