Hi guys,
I could advance creating the SFO minifilter. I’m able to navigate thru directories, reparse points and so on but have an issue when opening a file, I get a sharing violation error.
I pass the original request parameters to the FltCreateFile call. usVolName is the volume name where redirected file exists to retrieve its volume and instance objects.
nNtStatus = ::FltGetVolumeFromName( FltObjects->Filter, &usVolName, &pShadowVolume );
if ( NT_SUCCESS( nNtStatus ) )
{
nNtStatus = ::FltGetVolumeInstanceFromName( FltObjects->Filter, pShadowVolume, NULL, &pShadowInstance );
if ( NT_SUCCESS( nNtStatus ) )
{
HANDLE hFile;
InitializeObjectAttributes( &sObjAttr, pRedirectedFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL,
Data->Iopb->Parameters.Create.SecurityContext->AccessState->SecurityDescriptor );
nNtStatus = ::FltCreateFile( FltObjects->Filter, pShadowInstance, &hFile, Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess, &sObjAttr,
&sIoStatus, &AllocationSize, Data->Iopb->Parameters.Create.FileAttributes, Data->Iopb->Parameters.Create.ShareAccess,
(Options >> 24) & 0x000000FF, (Options & 0x00FFFFFF), Data->Iopb->Parameters.Create.EaBuffer, Data->Iopb->Parameters.Create.EaLength, 0);
if ( NT_SUCCESS( nNtStatus ) )
{
nNtStatus = ::ObReferenceObjectByHandle( hFile, 0, *IoFileObjectType, KernelMode, (PVOID*)&pShadowFileObject, NULL);
::FltClose( hFile );
if ( !NT_SUCCESS( nNtStatus ) )
pShadowFileObject = NULL;
}
}
else
{
pShadowInstance = NULL;
}
}
else
{
pShadowVolume = NULL;
}
If I add the IO_IGNORE_SHARE_ACCESS_CHECK flag, the open succeedes but a later call to WriteFile shows FILE_CLOSED in Process Monitor.
As a note the target file resides in a VHD disk.
Any hint on how to debug deeper and/or the root of the issue?
Regards,
Mauro.