Thanks, Peter.
I must note though that there not a single mentioning of ntldr (or any other boot-related module) writing something
in, say, Russinovich/Solomon book “MS Windows Internals” (ch. 5), or anywhere else, for that matter - I did my
share of googling and testing, up to installing a debug version of disk.sys, recompiled from the DDK.
What’s worse, no partition table - related changes happen in my experiemnts.
What’s even worse, the diffs I get are in $Mft (!), $MftMirr (!) etc. - within volumes.
So the question becomes: where should I put the filter to catch ALL writes directed to volume-allocated space on a disk?
What exactly the upper filter misses (and why)?
Is a LowerFilter to disk.sys a correct place to be?
[Actually I already tried this one and did not notice any difference, but I’m not 100% sure.]
Regards,
Alex
----- Original Message -----
From: Peter Wieland
To: Windows System Software Devs Interest List
Sent: Wednesday, June 15, 2005 1:36 PM
Subject: RE: [ntdev] Where to write the logic for read manipulation
ntldr does a few writes to the disk.
the disk driver also initiates a few writes on its own (partition table stuff mostly) that you won’t catch if you’re above the disk.
-p
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Wednesday, June 15, 2005 10:23 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Where to write the logic for read manipulation
To continue Amitrajit’s question:
My purpose is to catch ALL writes; I attach my filter as an upper one right above disk.sys and everything seems
to work just fine, except that SOME writes are missed!
I load my filter at boot time and save everything until I get PowerSystemShutdown (I do not get any new
reads/writes after that).
After physically comparing the disk “before” and “after” (“after” minus “before”, kind of) with my logs - there
are actual changes on the disk that did not pass through the filter.
How can this be? In other words, is the following statement true or false: “all writes to the the disk are done
through IRP_MJ_WRITE directed to disk.sys”?
It is definitely not true for reads (ntldr and friends do read what they need long before disk.sys comes into play), but what about writes?
Any advice will be appreciated.
Regards,
Alex
----- Original Message -----
From: Peter Wieland
To: Windows System Software Devs Interest List
Sent: Wednesday, June 15, 2005 11:50 AM
Subject: RE: [ntdev] Where to write the logic for read manipulation
a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the operation in the IO stack location. You’ll need to determine the block size (there’s a disk I/O control you can use for this if you’re above the disk driver, otherwise you need to send a READ_CAPACITY SRB to the device) to compute sector number from byte offset.
b - You can assume all disk I/O is direct I/O. And you’re correct that you can’t modify the data being read until it’s been read, so you’ll need to do your modification in the completion routine. Note that your filter’s completion routine will almost always be called at DISPATCH_LEVEL so you’re processing can’t require touching paged memory or calling system APIs that do so.
-p
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation
Dear ppl,
a. How can I find out the sector number of a disk being read or written to? Something similar to what sysinternals Diskmon does. I am attaching my driver to Disk.sys.
b. If I want to manipulate data fetched from the disk, before they are passed on to the driver above me, how do I do it? IRP_MJ_READ is a request to fetch the data, ultimately, disk.sys gets the data for it and puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that is, I have to write my manipulation logic in the Irp completion routine, rather than in the major function?
best Regards,
amitr0
Note:-
- Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
- Kindly Acknowledge This Mail At The Earliest.
- This E-Mail Might contain Confidential information. If You Are Not Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to %%email.unsub%% —
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to %%email.unsub%%
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com —
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com