STATUS_SHARING_VIOLATION on FltCreateFile

OSR_Community_User · January 8, 2016, 4:10pm

Hi guys,

I could advance creating the SFO minifilter. I’m able to navigate thru directories, reparse points and so on but have an issue when opening a file, I get a sharing violation error.

I pass the original request parameters to the FltCreateFile call. usVolName is the volume name where redirected file exists to retrieve its volume and instance objects.

nNtStatus = ::FltGetVolumeFromName( FltObjects->Filter, &usVolName, &pShadowVolume );
if ( NT_SUCCESS( nNtStatus ) )
{
nNtStatus = ::FltGetVolumeInstanceFromName( FltObjects->Filter, pShadowVolume, NULL, &pShadowInstance );
if ( NT_SUCCESS( nNtStatus ) )
{
HANDLE hFile;

InitializeObjectAttributes( &sObjAttr, pRedirectedFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL,
Data->Iopb->Parameters.Create.SecurityContext->AccessState->SecurityDescriptor );
nNtStatus = ::FltCreateFile( FltObjects->Filter, pShadowInstance, &hFile, Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess, &sObjAttr,
&sIoStatus, &AllocationSize, Data->Iopb->Parameters.Create.FileAttributes, Data->Iopb->Parameters.Create.ShareAccess,
(Options >> 24) & 0x000000FF, (Options & 0x00FFFFFF), Data->Iopb->Parameters.Create.EaBuffer, Data->Iopb->Parameters.Create.EaLength, 0);
if ( NT_SUCCESS( nNtStatus ) )
{
nNtStatus = ::ObReferenceObjectByHandle( hFile, 0, *IoFileObjectType, KernelMode, (PVOID*)&pShadowFileObject, NULL);
::FltClose( hFile );
if ( !NT_SUCCESS( nNtStatus ) )
pShadowFileObject = NULL;
}
}
else
{
pShadowInstance = NULL;
}
}
else
{
pShadowVolume = NULL;
}

If I add the IO_IGNORE_SHARE_ACCESS_CHECK flag, the open succeedes but a later call to WriteFile shows FILE_CLOSED in Process Monitor.

As a note the target file resides in a VHD disk.

Any hint on how to debug deeper and/or the root of the issue?

Regards,
Mauro.

OSR_Community_User · January 11, 2016, 12:28pm

Well I know what is happening.

There is another access to the file. But not sure if I have to change share access permissions to SFO fileobject because, if I close the file on IRP_MJ_CLEANUP, may a latter read/write operations targetting the file appear.

OSR_Community_User · January 12, 2016, 1:17pm

I was able to resolve most of the issue handling better IRP_MJ_CLEANUP.

In IRP_MJ_CLEANUP I call FltClose to close the SFO handle and, on IRP_MJ_CLOSE, I do the file_object dereferencing.

But still have an issue. If I copy an executable and then try to execute it, I still get the sharing violation although I receive the IRP_MJ_CLOSE for the object. May be some reference still maintained by the cache manager?

Regards.