Tears Are Streaming Down My Face (FSContext)

Development Environment: WinXP Pro. IFS Kit 3790.1830
Demo Environment: WinXP Pro. NTFS only for the demo.

I’m trying to get the read buffer data from notepad and winword via a legacy filter based off of either sfilter or filespy.

I’m currently looking at the PostFsFilterPassThrough() function in sfilter to see if I can capture the read buffer stream in some fashion via file system data streams.

I’ve read http://www.osronline.com/article.cfm?article=457 and I know things of interest are the FsContext member and the SectionObjectPointer.

From what I can tell either or both or neither can possibly contain the $DATA portion of the file stream thingy.

In the post passthrough, I"m currently doing this:

bStreams = FsRtlSupportsPerStreamContexts(Data->FileObject);
if (bStreams)
{
fHeader = FsRtlGetPerStreamContextPointer (Data->FileObject);
//fStreamContext = FsRtlLookupPerStreamContext(fHeader, NULL, NULL);
if (Data->FileObject->SectionObjectPointer != NULL)
{
if (Data->FileObject->FsContext != NULL)
RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“FsContext is 0x%08X\n”, Data->FileObject->FsContext));
RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer:\n”));
if (Data->FileObject->SectionObjectPointer->DataSectionObject != NULL)
RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointe Data Section Object is: 0x%08X:\n”, Data->FileObject->SectionObjectPointer->DataSectionObject));
if (Data->FileObject->SectionObjectPointer->SharedCacheMap != NULL)
RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer SharedCacheMap is: 0x%08X\n”, Data->FileObject->SectionObjectPointer->SharedCacheMap));
if (Data->FileObject->SectionObjectPointer->ImageSectionObject != 0)
RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer ImageSectionObject is: 0x%08X\n”, Data->FileObject->SectionObjectPointer->ImageSectionObject ));
}
}

Likewise, in the debugger, I’ve done this:
bp rrfilter!RRPostFsFilterPassThrough+0x13b “dc poi(poi(poi(poi(esp+1c)+c)+14)+8);g”

which is the breakpoint for the ImageSectionObject and dumpsout the memory at what the value Data->FileObject->SectionObjectPointer->ImageSectionObject points to.

When opening a notepad .txt file, I got nothing of any value.

Rather than continue to thrash aboukt hoping against hope I’ll find my buffer, I thought I’d ask again for additional guidance. Anyone able to help me out here in achieving my goal of looking at the memory managed buffers?

Thanks.

OK, first you should only be looking at requests which are either non-cached
or paging, check the irp flags for this. Since you do seem to be
implementing an encryption driver there is no need to look at fast IO or
cached IO requests.

Next, the buffer for paging requests can be accessed through the MdlAddress
in the Irp using MmGetSystemAddressForMdlSafe( Irp->MdlAddress). The length
of the IO is retrieved from the irp stack location.

For non-cached requests, but NOT paging, the buffer is grabbed through the
Irp->UserBuffer pointer. Beware when you do this since you are accessing the
users buffer directly and hence you need to lock it down and probe it before
actually doing anything with it. And do this inside of a try/except.

You should not be ‘looking’ into either the SOP or the FsContext structure
since the former is opaque to outsiders and the latter is filesystem
specific.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, November 07, 2006 8:14 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Tears Are Streaming Down My Face (FSContext)

Development Environment: WinXP Pro. IFS Kit 3790.1830
Demo Environment: WinXP Pro. NTFS only for the demo.

I’m trying to get the read buffer data from notepad and winword via a legacy
filter based off of either sfilter or filespy.

I’m currently looking at the PostFsFilterPassThrough() function in sfilter
to see if I can capture the read buffer stream in some fashion via file
system data streams.

I’ve read http://www.osronline.com/article.cfm?article=457 and I know things
of interest are the FsContext member and the SectionObjectPointer.

From what I can tell either or both or neither can possibly contain the
$DATA portion of the file stream thingy.

In the post passthrough, I"m currently doing this:

bStreams = FsRtlSupportsPerStreamContexts(Data->FileObject);
if (bStreams)
{
fHeader = FsRtlGetPerStreamContextPointer
(Data->FileObject);
//fStreamContext =
FsRtlLookupPerStreamContext(fHeader, NULL, NULL);
if (Data->FileObject->SectionObjectPointer != NULL)
{
if (Data->FileObject->FsContext !=
NULL)

RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“FsContext is 0x%08X\n”,
Data->FileObject->FsContext));

RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer:\n”));
if
(Data->FileObject->SectionObjectPointer->DataSectionObject != NULL)

RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointe Data
Section Object is: 0x%08X:\n”,
Data->FileObject->SectionObjectPointer->DataSectionObject));
if
(Data->FileObject->SectionObjectPointer->SharedCacheMap != NULL)

RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer
SharedCacheMap is: 0x%08X\n”,
Data->FileObject->SectionObjectPointer->SharedCacheMap));
if
(Data->FileObject->SectionObjectPointer->ImageSectionObject != 0)

RRF_LOG_PRINT(RRDEBUG_POST_ACQUIRE_FLUSH, (“Section Object Pointer
ImageSectionObject is: 0x%08X\n”,
Data->FileObject->SectionObjectPointer->ImageSectionObject ));
}
}

Likewise, in the debugger, I’ve done this:
bp rrfilter!RRPostFsFilterPassThrough+0x13b “dc
poi(poi(poi(poi(esp+1c)+c)+14)+8);g”

which is the breakpoint for the ImageSectionObject and dumpsout the memory
at what the value Data->FileObject->SectionObjectPointer->ImageSectionObject
points to.

When opening a notepad .txt file, I got nothing of any value.

Rather than continue to thrash aboukt hoping against hope I’ll find my
buffer, I thought I’d ask again for additional guidance. Anyone able to
help me out here in achieving my goal of looking at the memory managed
buffers?

Thanks.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

This will work for WinWord, Notepad, etc?
in the DispatchWrite and DispatchRead functions?

You are correct. I’m writing an encryption filter.

Thanks.

Yes, this is how it is done.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, November 07, 2006 11:04 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Tears Are Streaming Down My Face (FSContext)

This will work for WinWord, Notepad, etc?
in the DispatchWrite and DispatchRead functions?

You are correct. I’m writing an encryption filter.

Thanks.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Would you mind looking at my other thread where I post my write dispatch function? Tony’s all angry at me now because he says I’m ignoring the advice. I’m not trying to ignore anything.

I did forget to check for the flags per cached and paging as you suggested, but otherwise, I am trying the best I can.

What am I doing wrong?